Vulnerability Research - Principal Application Security Analyst - Senior Vice President

Citi is a preeminent banking partner for institutions with cross-border needs, a global leader in wealth management, and a valued personal bank in its home market of the United States. Citi does business in more than 160 countries and jurisdictions, providing corporations, governments, investors, institutions, and individuals with a broad range of financial products and services.

Citi is seeking a highly skilled and experienced application security analyst with a specialized focus on vulnerability research, third‑party component analysis, and advanced whitebox testing methodologies, including comprehensive source code review. The successful candidate will play a critical role in identifying, exploiting, and providing remediation guidance for complex security vulnerabilities within Citi’s diverse technology landscape. This role demands deep technical expertise, a proactive approach to security challenges, and the ability to work collaboratively with development teams to enhance the security posture of our applications and infrastructure.

This team specializes in conducting deep‑dive penetration testing on a variety of Citi applications (Web, Mobile, Thick Client, and APIs) by manually identifying, researching, validating, and exploiting various known and unknown application security vulnerabilities.

As a principal application security analyst on our Offensive Security & Vulnerability Management team, you are responsible for:

• Vulnerability Research & Exploitation: Conduct in‑depth research to discover new attack vectors and zero‑day vulnerabilities in enterprise applications, systems, and third‑party components. Develop proof‑of‑concept exploits to effectively demonstrate risk.
• Whitebox Penetration Testing: Perform comprehensive whitebox penetration tests, leveraging access to source code, design documentation, and internal system knowledge to uncover sophisticated security flaws that blackbox testing might miss.
• Source Code Review: Conduct manual and automated source code reviews across various programming languages (e.g., Java, C#, Python, JavaScript) to identify security vulnerabilities, misconfigurations, and adherence to secure coding practices.
• Third‑Party Component Analysis: Evaluate the security of third‑party libraries, frameworks, and open‑source components integrated into Citi’s applications. Identify known vulnerabilities (e.g., CVEs) and assess potential risks.
• Remediation Guidance: Provide clear, concise, and actionable remediation recommendations to development teams, offering expert advice on secure coding, configuration, and architectural solutions.
• Tooling & Automation: Utilize and contribute to the development of advanced security testing tools, static analysis (SAST), and dynamic analysis (DAST) solutions to improve efficiency and coverage.
• Reporting & Communication: Prepare detailed technical reports outlining findings, risk levels, and recommended mitigations for both technical and non‑technical audiences.
• Mentorship & Knowledge Sharing: Mentor junior penetration testers and security engineers, sharing expertise in vulnerability research, source code analysis, and whitebox testing techniques.
• Stay Current: Continuously research and stay abreast of the latest security threats, vulnerabilities, attack techniques, and industry best practices.

• 8+ years of experience in penetration testing, ethical hacking, or application security, with a significant focus on whitebox testing and/or source code review.
• Proven expertise in vulnerability research, including the ability to identify novel vulnerabilities and develop reliable exploits.
• Strong proficiency in at least one major programming language (e.g., Java, C#, Python) and familiarity with others.
• In‑depth understanding of common web application vulnerabilities (OWASP Top 10) and API security best practices.
• Experience with static application security testing (SAST) tools and dynamic application security testing (DAST) tools.
• Strong understanding of cloud computing platforms (AWS, Google Cloud, Azure) and experience in securing applications and infrastructure deployed in these environments.
• Experience with microservices architecture and securing containerized applications (e.g., Docker, Kubernetes).
• Experience with mobile application penetration testing (iOS and Android).
• Excellent written and verbal communication skills, with the ability to articulate complex security issues to diverse audiences.
• Ability to work independently and as part of a team in a fast‑paced, dynamic environment.
• Relevant industry certifications such as OSCE, GIAC GWAPT, GPEN, GXPN, or similar.

An ideal candidate will have both an engineering and security background. However, irrespective of your current role, if you have a Bachelor’s or Master’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience and meet most of the above‑listed requirements, then don’t miss this opportunity to join our team. Apply today!

Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.

If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.
View Citi’s EEO Policy Statement and the Know Your Rights poster.