Senior Security Research Engineer

Company: Automattic

About the Company: Automattic is the company behind WordPress.com, WooCommerce, Beeper, Tumblr, Simplenote, Jetpack, Pocket Casts, Day One, and more. Now in its 20th year with 1,500+ employees in nearly every corner of the globe. Fully remote — no office, open vacation policy, and a genuine commitment to open source.

Job Category: Cybersecurity / Security Research / WordPress Ecosystem

Contract Type: Full-Time, Permanent

Location: Remote — Worldwide

Salary: $70,000–$170,000 USD (global, paid in local currency)

Application Link: https://job-boards.greenhouse.io/automatticcareers/jobs/7847202

Posted: May 11, 2026 (marked "New" on Greenhouse)

Job Description: You'll analyze vulnerable and malicious code, track emerging threats, and help build the tools and processes that detect, prevent, and remediate malware and other security issues across the WordPress ecosystem. WP Cloud powers WordPress at scale, and you'll be supporting security for WP Cloud while also contributing to WPScan and Jetpack Protect.

Key Responsibilities:

• Analyze vulnerable and malicious PHP code and track emerging security threats across the WordPress ecosystem
• Investigate vulnerabilities, conduct threat modeling, and identify common attack vectors (XSS, injection, hijacking, social engineering)
• Build tools and processes that detect, prevent, and remediate malware at scale
• Contribute to code reviews and architecture/design discussions
• Use AI tools effectively to accelerate security analysis and improve solution quality
• Travel 2–3 weeks per year to meet with teammates in person

Requirements:

• 3+ years of experience as a security researcher, or equivalent experience investigating vulnerabilities, malware, or other threats
• Understanding of threat models, security threats, vulnerabilities, and attack vectors
• Experience with PHP and some exposure to software engineering
• Strong ability to use AI tools effectively to accelerate work and improve analysis quality
• Highly collaborative, with a love for code reviews and architecture discussions

Nice to have: Penetration testing experience, previous work with malware detection systems, vulnerability disclosure history, WordPress plugin/theme development experience.

Benefits: Fully remote, open vacation policy, global salary (paid in local currency), comprehensive benefits by country (see automattic.com/benefits).