Security Researcher – API Security

At F5, we strive to bring a better digital world to life. Our teams empower organizations across the globe to create, secure, and run applications that enhance how we experience our evolving digital world. We are passionate about cybersecurity, from protecting consumers from fraud to enabling companies to focus on innovation.

Everything we do centers around people. That means we obsess over how to make the lives of our customers, and their customers, better. And it means we prioritize a diverse F5 community where each individual can thrive.

At F5, we make applications faster, smarter, and safer. We are seeking an experienced API Security Researcher to join our Security Threat Research group. In this role, you will help shape the future of secure applications by conducting cutting-edge research, penetration testing, and developing mitigation strategies for emerging API threats. You will collaborate with a dynamic, highly skilled team to analyze vulnerabilities, Develop and refine detection mechanisms for emerging threats and attack patterns., and enhance the security of F5 products.

Key Responsibilities:

• Research emerging OWASP API Top 10 threats and evolving API security challenges to strengthen our proprietary API security solution.
• Continuously analyze customer use cases and deployment scenarios to enhance and adapt our API Security Solution features.
• Gather, mine, and interpret large-scale API traffic data—both from our internal environments and customer deployments—to detect malicious behaviors, attack patterns, and zero-day vulnerabilities.
• Collaborate with analytics and data science teams to translate findings into actionable improvements within our API Security Solution, optimizing detection and prevention capabilities.
• Design, develop, and maintain internal security research tools that uncover vulnerabilities in APIs and microservices, ensuring these tools integrate seamlessly with our existing API Security Solution and data pipelines.
• Create automated workflows to analyze API logs, identify anomaly patterns, and generate real-time alerts or dashboards for internal stakeholders.
• Collaborate with engineering teams to incorporate research-driven enhancements into our internal tools, strengthening overall API threat detection and response.
  
  

Qualifications:

• Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or a related field—or equivalent practical experience.
• 3+ years of hands-on experience in API security research, penetration testing, or application security.
• In-depth knowledge of API protocols and technologies (REST, GraphQL, gRPC, SOAP), as well as authentication and authorization mechanisms (OAuth, JWT, OpenID Connect).
• Familiarity with core web security principles (HTTP, networking, TLS) and common API security frameworks (OWASP API Security Top 10).
• Proven ability to identify, analyze, and exploit vulnerabilities in APIs, web applications, and security products.
• Proficiency in one or more programming/scripting languages (Python, Java, JavaScript, etc.) for building custom security tools and POCs.
• Experience with a variety of security testing tools (Burp Suite, Postman, OWASP ZAP, AppScan, WebInspect).
• Ability to automate tasks and conduct data-driven analysis to detect threat patterns in large-scale API traffic logs.
• Strong problem-solving skills with the ability to write clear, actionable technical documentation and reports.
• Proven track record of effectively communicating complex security concepts to technical and non-technical audiences.
  
  

Preferred Skills:

• CEH, OSCP, or API-specific credentials that demonstrate deep, hands-on security expertise.
• Experience with WAF evasion techniques, security research focused on API and web products, and detailed knowledge of advanced threat techniques.
• Background in threat modeling and an understanding of modern microservice designs.
• Contributions to security-focused projects, either proprietary or open source (e.g., internal tools, automation frameworks).
• Familiarity with API gateway solutions (Apigee, API Connect, Kong) and the ability to integrate or customize these for enhanced security.
  
  

Why F5? At F5, you’ll join a passionate, innovative team tackling real-world security challenges. You’ll work in a fast-paced environment where your research will have a direct impact on shaping the future of secure applications. If you're passionate about security, innovation, and solving complex problems, F5 is the place to grow your career.

The Job Description is intended to be a general representation of the responsibilities and requirements of the job. However, the description may not be all-inclusive, and responsibilities and requirements are subject to change.

Please note that F5 only contacts candidates through F5 email address (ending with @f5.com) or auto email notification from Workday (ending with f5.com or @myworkday.com).

Equal Employment Opportunity

It is the policy of F5 to provide equal employment opportunities to all employees and employment applicants without regard to unlawful considerations of race, religion, color, national origin, sex, sexual orientation, gender identity or expression, age, sensory, physical, or mental disability, marital status, veteran or military status, genetic information, or any other classification protected by applicable local, state, or federal laws. This policy applies to all aspects of employment, including, but not limited to, hiring, job assignment, compensation, promotion, benefits, training, discipline, and termination. F5 offers a variety of reasonable accommodations for candidates. Requesting an accommodation is completely voluntary. F5 will assess the need for accommodations in the application process separately from those that may be needed to perform the job. Request by contacting accommodations@f5.com.