Guard the tech behind live events

A note from our President

“We’re a small team that punches way above our weight. If you’ve ever been frustrated watching great ideas get stuck in bureaucracy, you’ll love it here because we ship! Most engineers spend their careers building things users tolerate. We're building things they depend on- the kiosk someone walks up to at a conference of 5,000 people, the dashboard an organizer is staring at backstage, the badge that prints the moment someone checks in. When our software works, nobody notices. When it doesn't, the whole event feels it. That pressure is what makes this job genuinely exciting. We're a small team, we move fast, and we're looking for someone who wants to own real problems- not tickets. Come build something people genuinely love using"

Who we are

PheedLoop powers live events around the world. From intimate campus summits to major trade shows, we give organizers the tools to run smarter, more connected events - check-in kiosks, badge printing, mobile apps, and engagement tools that work together as a single ecosystem.

We're not building software people use by obligation. Event organizers choose PheedLoop because it works when it matters most; and that bar pushes us to build better every day.

What you'll build

• Think like an attacker every day. Run internal red team engagements against PheedLoop's platform, infrastructure, and people, then turn every finding into a fix that actually ships. Your job is to find the cracks before anyone else does.
• Plan and execute realistic attack simulations end-to-end, from reconnaissance to post-exploitation. Document the path in, the blast radius, and what would have stopped you, so the whole company learns from every engagement.
• Harden the software supply chain. Build the controls, tooling, and processes that keep us safe from poisoned libraries, and malicious tools. Audit dependencies, lock down CI/CD, and kill credential sprawl wherever it hides.
• Lock down the developer workstation as a first-class attack surface. Set the bar for endpoint hardening, extension hygiene, secret management, and least-privilege access across every machine that touches production.
• Lead incident response when something looks wrong, from first signal to full root cause. Run threat hunts proactively, write the playbooks, and make sure the same compromise never lands twice.
• Compound a real security culture by inoculation. Run phishing simulations, and partner with every team so secure defaults become the obvious choice, not the annoying one.
• Partner closely with Engineering, SRE, and leadership to translate findings into roadmap items, threat models into architecture decisions, and security wins into things the business can feel.
• Stay ahead of the threat landscape. Follow active campaigns, new CVEs, and emerging attacker tradecraft, and bring what matters back into how we build and operate.

What we're looking for

• 3+ years in offensive security, red teaming, penetration testing, or a closely adjacent role, with real hands-on engagements you can speak to in depth.
• Strong fundamentals across web app and API security (OWASP Top 10 inside and out), authentication and authorization flaws, network attacks, and post-exploitation techniques.
• Working knowledge of supply chain attack patterns — package compromise, dependency confusion, typosquatting, malicious IDE extensions — and the controls that actually catch them.
• Comfort in modern stacks like Python / Django, React, and AWS. You don't need to be a senior software engineer, but you can read application code, understand a deployment pipeline, and reason about cloud misconfigurations.
• Solid scripting skills in Python, Bash, or similar. You write your own tooling when off-the-shelf doesn't cut it, and you automate the boring parts of every engagement.
• Hands-on experience with common offensive tooling and the judgment to know when to reach past them.
• Ownership mindset. You can scope your own work, prioritize what matters, and drive findings to closure without waiting to be told what to do next.
• Sharp written communication. You can turn a complex attack chain into a report engineers want to fix and a summary leadership actually reads.
• Calm, ethical, and discreet. You handle sensitive findings the right way and understand that the goal is to make the company stronger, not to dunk on anyone.
• Certifications like OSCP, CRTO, GPEN, or similar are nice to have, not required. Demonstrated experience and a strong portfolio matter more.

Perks that hit different

🩺 100% employer-paid health coverage

🚇 Office directly on the TTC subway- one of Toronto's easiest commutes

🚀 Clear path to technical leadership as the team scales

🍜 Team lunches, learning events, and regular outings

🏗️ High-ownership culture- small team, immediate impact, no layers between you and the work

Ready to build something that matters?

Your impact here won't be "someday." It'll be the morning of a 15,000-person conference when everything works because you built it. Learn more about what it’s like to work at PheedLoop by visiting our Careers Page.

Notes:
This is a recruitment posting for an existing vacancy. And we don't use AI or automated tools to screen applications. A real person reads every application.