Are you ready to join the team that uncovered zero-days in AWS, reverse-engineered novel Linux malware, and built Tracee — the first open-source eBPF-based runtime security agent?

We’re seeking a Security Researcher with deep expertise in low-level Linux internals and eBPF-based detection development.

Your mission: analyze Linux malware and extract behavioral detections that expose attacker activity — even in the most ephemeral cloud-native systems.

Team Nautilus, the threat research group at Aqua Security, leads cutting-edge investigations into cloud-native threats — from exposing stealthy, fileless malware like HeadCrab to building kernel-level defenses for containerized environments. Our work shapes open-source tools, influences cloud provider security, and protects workloads across the Fortune 500.

Core Responsibilities

• Research and analyze sophisticated attack techniques targeting Linux-based cloud-native systems (Kubernetes, containers, serverless).

• Build low-level behavioral detections using eBPF, focused on malware execution, privilege abuse, persistence, and evasion techniques.

• Prototype observability and response capabilities at the kernel layer, contributing directly to tools like Tracee.

• Analyze Linux malware and extract behavioral detections to inform threat detection logic and strengthen defensive capabilities.

• Collaborate with engineering teams to translate research into production-grade detection pipelines and runtime protections.

Specialized Focus Areas

• Design and develop eBPF-based sensors that trace syscall activity, privilege escalation paths, network tampering, and stealthy behaviors.

• Track emerging malware families targeting cloud-native infrastructure and extract TTPs from live samples and honeypot environments.

• Contribute original research to the community through technical blogs, CVEs, conference presentations, or open-source code contributions.

Requirements:

• 5+ years in security research, with a strong focus on Linux malware analysis, behavioral detection, and system internals.

• Proven experience writing eBPF-based detection logic for runtime monitoring and threat visibility.

• Deep knowledge of Linux kernel internals, syscall interfaces, and OS-level attack surfaces.

• Proficiency in C (especially for kernel-level or low-level systems programming) and Python (for tooling, analysis, and automation).

• Familiarity with cloud-native technologies such as containers, Kubernetes, and serverless workloads.

• Strong understanding of adversary tradecraft in Linux environments, including malware persistence and evasion strategies.

• Excellent written and verbal communication skills.

• A proactive, creative mindset that thrives on discovering and neutralizing novel threats.

Preferred Qualifications (Bonus)

• Experience with kernel tracing frameworks (e.g., eBPF, kprobes, tracepoints, LSM hooks).

• Familiarity with tools like Ghidra, IDA Pro, Radare2, or dynamic malware analysis sandboxes.

• Understanding of MITRE ATT&CK for Containers or Cloud, threat modeling, and detection engineering principles.

• Track record of public research contributions (e.g., CVEs, technical write-ups, conference talks, or open-source projects).

• Experience analyzing security gaps in cloud services, IAM configurations, or container orchestration systems.

⸻

Why Join Aqua & Team Nautilus?

• Work with the creators of Tracee, the industry’s first open-source eBPF agent for cloud-native runtime security.

• Investigate real-world threats, build detections that matter, and protect workloads at global scale.

• Contribute research that influences cloud providers, security standards, and open-source communities.

• Be part of a company where research drives the roadmap — not the other way around.