Director of Offensive Security

The Company 

NorthMark Compute & Cloud (NMC²) is backed by dedicated leadership and investment, with a clear mission as it operates at the bleeding edge of technology. Its goal is to scale and enhance the high-performance computing (HPC) and cloud infrastructure that supports its clients’ research, production, and delivery, enabling breakthroughs that shape the industries of tomorrow. Its engineers build critical infrastructure to eliminate friction in scientific research, simulations, analysis, and decision-making, accelerating discovery and driving faster innovation. 

The Position 

The Director of Offensive Security reports directly to the CISO and owns continuous adversarial validation of the NMC² production environment. This is not a scheduled pentest function or a compliance-checkbox red team. You will build and run a standing offensive capability that operates against production with authorization, emulates named threat actors relevant to our customer base and infrastructure class, and produces independent, evidence-backed assessments of whether our controls work under realistic attack conditions. 

This function operates as an independent line of assurance within the Security organization, with a direct reporting relationship to the CISO. To preserve objectivity, assessment findings are delivered to the CISO without editorial review by the teams whose controls or systems are under evaluation. Security Engineering, Platform Engineering, and Security Architecture receive findings as remediation owners. 

Responsibilities: 

• Build and run a continuous red team program against the production NMC² environment: HPC clusters, multi-tenant Kubernetes, bare-metal provisioning infrastructure, customer network fabric, identity plane, and the internal control surface itself (SIEM, EDR, IAM, PAM) 

• Execute adversary emulation campaigns aligned to MITRE ATT&CK v15 TTPs relevant to our threat model: financially motivated access brokers (e.g., TTP sets associated with initial access brokers targeting financial services customers), APT groups with demonstrated interest in research computing and scientific workloads, and insider threat scenarios covering privileged operator abuse 

• Independently validate detection and response efficacy: every red team operation produces a detection coverage report measured against the SOC and IR functions, including time-to-detect, time-to-contain, and detection gap inventory by ATT&CK technique ID 

• Own the purple team feedback loop: every undetected TTP becomes a tracked detection engineering deliverable with owner and SLA, every detected-but-unresponded TTP becomes a tracked IR playbook deliverable 

• Run continuous attack surface validation against production, not just pre-production, with a documented rules-of-engagement framework, blast radius controls, and CISO-level authorization gates for destructive or high-risk techniques 

• Lead threat-led penetration testing of the HPC-specific attack surface: Slurm and workload manager abuse, GPU driver and firmware attack paths, InfiniBand and RDMA fabric isolation, scheduler privilege escalation, cross-tenant lateral movement in shared compute, and scientific software supply chain compromise 

• Own offensive validation of cloud and Kubernetes controls: IAM boundary testing, cross-account and cross-tenant escape attempts, container breakout chains, service mesh bypass, admission controller evasion, and secrets management integrity 

• Drive threat modeling at design stage for new platform capabilities and major architecture changes, producing adversarial design reviews that the CISO signs off on before build 

• Manage the external pentest and red team vendor portfolio: scoping, vendor selection, quality control of deliverables, and integration of external findings into the internal remediation tracking system 

• Build and maintain the offensive tooling stack including custom implants, C2 infrastructure, and internal exploit development capability, with clear controls on tool custody, source code management, and destruction protocols 

• Define and publish offensive security KPIs to CISO and board level: coverage against MITRE ATT&CK technique inventory, mean time to compromise from assumed-breach scenarios, control validation pass rate by control family, remediation velocity on P1 and P2 findings, and repeat finding rate 

• Issue formal assessment reports using CWE classification, CVSS v3.1 base and environmental scoring, and explicit exploitation evidence; findings are attestations, not suggestions 

• Champion an adversarial engineering culture across Platform and Security Engineering through documented attack patterns, regular internal briefings, and integration of offensive findings into developer tooling and CI/CD gates 

Requirements: 

• 15+ years in offensive security with demonstrated hands-on depth across at least three of: network penetration testing, red team operations, cloud penetration testing, application exploitation, hardware and firmware attack research, or advanced adversary emulation 

• 5+ years leading offensive security teams, including direct accountability for hiring specialized offensive talent, managing operational security of red team infrastructure, and operating under formal rules of engagement against production systems 

• Demonstrated red team leadership against mature target environments: environments with functioning SOC, EDR, and IR capability, not greenfield pentest targets 

• Deep operational fluency with MITRE ATT&CK v15 and ATT&CK Navigator for coverage mapping, adversary emulation planning using frameworks such as MITRE CALDERA or Atomic Red Team, and purple team execution models 

• Hands-on capability with production-grade offensive tooling: C2 frameworks (Cobalt Strike, Mythic, Sliver, or equivalent), exploitation frameworks, custom tool development, and operational security for red team infrastructure 

• Strong command of cloud and container offensive tradecraft: Kubernetes attack paths, cloud IAM privilege escalation chains, service mesh and sidecar abuse, and multi-tenant isolation testing 

• Fluency with CWE, CVSS v3.1 and v4.0, OWASP Top 10, SANS CWE Top 25, and the CIS Controls v8 Penetration Testing domain (Control 18) 

• Experience integrating offensive findings into engineering workflow systems (Jira or equivalent) with enforceable SLA tracking, not report-and-walk-away engagements 

• Demonstrated ability to execute offensive work against production with appropriate authorization, blast radius control, and executive communication discipline 

• Exceptional written communication: findings must stand up to scrutiny from engineering leadership who will push back, and from auditors and customers who will consume the output 

Preferred: 

• OSCP, OSEP, OSED, GXPN, GPEN, or CRTO certifications; CISSP alone is not sufficient evidence of hands-on offensive capability 

• Prior experience building an offensive security function from scratch, not inheriting an existing one 

• HPC, bare-metal, or hyperscale data center offensive assessment experience 

• Published CVE credits, conference talks (DEF CON, Black Hat, Offensive Con, Recon), or public offensive research 

• Background in threat intelligence consumption for adversary emulation planning (CTI-led red teaming) 

• Experience with sovereign cloud, export-controlled, or financial services customer environments