Penetration Tester

TL;DR: We're looking for a world-class Penetration Tester with a name in the field. You'll push Lovable's platform to its limits, hunt vulnerabilities across our AI pipelines and user-generated code, and make sure attackers never get there before you do.

Why Lovable?

Lovable lets anyone and everyone build software with any language. From solopreneurs to Fortune 100 teams, millions of people use Lovable to transform raw ideas into real products - fast. We are at the forefront of a foundational shift in software creation, which means you have an unprecedented opportunity to change the way the digital world works. Over 2 million people in 200+ countries already use Lovable to launch businesses, automate work, and bring their ideas to life. And we’re just getting started.

We’re a small, talent-dense team building a generation-defining company from Stockholm. We value extreme ownership, high velocity, and low-ego collaboration. We seek out people who care deeply, ship fast, and are eager to make a dent in the world.

What we’re looking for

• 12+ years of hands-on penetration testing experience across web, mobile, APIs, and cloud infrastructure.

• A track record the field knows about: CVEs to your name, hall-of-fame credits in major bug bounty programs, or a reputation that precedes you.

• Deep expertise in offensive security techniques: OWASP, MITRE ATT&CK, exploit development, privilege escalation, and lateral movement.

• Hands-on experience using AI as part of your hacking workflow — not just testing AI systems, but actively leveraging it as an offensive tool.

• Experience attacking AI-native products or LLM-integrated systems, including prompt injection, model abuse, and data exfiltration vectors.

• Strong understanding of cloud environments (GCP, AWS, Cloudflare) and the attack surfaces they introduce.

• Ability to translate complex findings into clear, prioritised reports that engineering teams can act on immediately.

• Low ego, high output. You collaborate as naturally as you compete against systems.

• Bonus: experience with red team operations, supply chain attacks, or mobile security (iOS/Android). Familiarity with SAST/DAST tooling.

What you’ll do

• Own offensive security end-to-end: plan and execute penetration tests across Lovable's web platform, mobile surface, APIs, cloud infrastructure, and AI pipelines.

• Break our AI before others do: probe LLM integrations for prompt injection, jailbreaks, data leakage, and novel attack vectors unique to AI-generated code running in live products.

• Stress-test user-generated code at scale: identify systemic vulnerabilities introduced when millions of users create and deploy real applications on Lovable.

• Turn findings into action: work directly with engineering to prioritise, remediate, and verify fixes, closing the loop between discovery and resolution.

• Raise the security bar org-wide: run internal red team exercises, contribute to threat modelling, and embed an attacker's mindset across the engineering culture.

• Help make Lovable the most secure AI product in the market.

Our Tech Stack

• Frontend: React and TypeScript

• Backend: Golang and Rust

• Cloud: Cloudflare, GCP, AWS, Modal, multiple LLM providers

• DevOps & Tooling: GitHub Actions, Grafana, OTEL, infra-as-code (Terraform)

• Data: Clickhouse, Firestore, Spanner, BigQuery

And we're always exploring what's next!

About your application

Please submit your application in English. It’s our company language, so you’ll be speaking lots of it if you join.

We treat all candidates equally - if you’re interested, please apply through our careers portal.