We are looking for junior application security specialists to join a growing security team at
Xsolla. This is a hands-on role where you will work closely with senior specialists to identify,
assess, and help remediate security vulnerabilities across our products and infrastructure.
You will be involved in day-to-day AppSec work - code reviews, vulnerability triage, threat
modeling, and security testing. You are curious, detail-oriented, and eager to develop deep
expertise in application security. You do not need to have all the answers, but you ask the right
questions and follow through.
This is a strong learning environment. You will be exposed to real-world security challenges in a
payment platform operating at scale, and supported by experienced security specialists who will
help you grow.
Responsibilities
- Triage Security Findings - Assess incoming bug bounty reports and scanner findings.
Evaluate validity, calculate real severity, and escalate appropriately with clear written
summaries.
Assist with Vulnerability Assessments - Participate in security assessments of web
applications and APIs. Help identify and document risks in new features and existing
systems.
Write Clear Security Documentation - Document findings, reproduce steps, and
remediation guidance in a way that engineering teams can act on.
Support Threat Modeling - Participate in threat modeling sessions. Learn to identify
trust boundaries, data flows, and attack surfaces in system designs.
Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling.
Track findings, reduce noise, and support remediation workflows.
Support Code Reviews - Review code for common vulnerability classes under guidance
of senior specialists. Learn to identify security issues across PHP, Python, and Go
codebases.
Stay Current - Follow developments in the security community. Bring awareness of new
vulnerability classes, CVEs, and attack techniques relevant to our stack.
What You Bring
- Web Security Fundamentals - Solid understanding of common vulnerability classes:
OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and
session management weaknesses. You understand root causes, not just names.
Web and Browser Fundamentals - Solid understanding of how web applications work:
HTTP request/response cycle, client-server model, REST APIs, how browsers handle
same-origin policy, cookies and their attributes, and CORS. This is the foundation
everything else builds on.
Security Testing Tools - Hands-on experience with Burp Suite or similar web
application security testing tools. You have used them to intercept, modify, and replay
requests - not just run automated scans.
Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly:
reproduction steps, proof of concept, and impact statement. Findings that engineering
teams cannot reproduce or understand do not get fixed.
Secure Development Awareness - Familiarity with foundational secure coding
concepts: input validation, output encoding, parameterized queries, and least privilege.
Code Readability - Ability to read and follow code in at least one language relevant to
web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you
need to follow logic and spot security-relevant patterns.
Analytical Thinking - You reason through problems methodically. You can explain not
just what a vulnerability is but why it exists, how it is exploited, and what fixing it
actually requires.
Clear Written Communication - You write findings and summaries that are precise,
reproducible, and useful to the engineers who need to act on them.
Curiosity and Initiative - You dig into problems rather than stopping at the surface.
When something looks wrong, you investigate before concluding.
Nice to Have
- Participation in bug bounty programs or CTF competitions
Basic scripting ability for automation - Python or Bash
Familiarity with CI/CD pipelines and where security tooling fits
Exposure to cloud environments - GCP, AWS, or Azure
Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials
