Job Description
Responsibilities
About the team:
The Privacy and Data Protection Office (PDPO) leads, supervises, and empowers all of TikTok's privacy work in an accountable and industry-leading way. The team is the in-house expert on the privacy risk landscape and partners across the company to implement the safeguards and technical mitigations that ensure users privacy is honoured across TikTok's products and platforms.
The Global Privacy Red Team within PDPO is looking for a senior red team engineer who can operate independently from day one - driving complex assessments end-to-end, pioneering new techniques to surface privacy risks at scale, push the state of the art in offensive privacy testing and help TikTok continue to raise the bar on user privacy.
What you'll do:
- Threat model privacy concepts (consent, data sharing, data minimization, purpose limitation, retention, sovereignty, product privacy, etc.) into concrete adversarial scenarios, then design and execute red team engagements against those scenarios
- Conduct deep, hands-on technical assessments and penetration tests of internal and external-facing systems, products, and services, with a focus on bypassing user privacy expectations from the perspective of an external attacker
- Identify exploitable issues across the data lifecycle - how data flows internally between services and how it is shared with external parties - and demonstrate impact end-to-end.
- Research emerging privacy threats and attack techniques; develop new testing methodologies and abuse cases ahead of them landing in production.
- Partner with engineering and product teams to integrate privacy-preserving controls throughout the SDLC, and translate findings into actionable, prioritized remediation guidance.
- Research and analyze emerging threats in privacy, proactively identifying mitigation strategies and testing methodologies to protect user data.
- Help shape the practices, processes, and documentation that define how privacy red teaming is done at TikTok, both internally and with cross-functional working groups.
- Build tooling, scripts, and frameworks to scale privacy-focused assessments and automate recurring checks.
Knowledge, Skills & Abilities:
- Strong fundamentals in computer science, offensive security (especially appsec), security engineering, and privacy engineering.
- Ability to reason about privacy as an attacker: turning abstract concepts (consent, data sharing, minimization, retention) into concrete, testable abuse cases.
- Strong manual secure code review skills, with an eye for privacy-specific bugs in addition to traditional appsec issues.
- Comfortable working across heterogeneous stacks and unfamiliar codebases.
- Ability to operate independently, prioritize across competing engagements, and drive complex assessments to completion.
- Excellent written and verbal communication, with experience working cross-functionally with engineering, legal, and compliance partners.
Qualifications
Minimum Qualifications:
- 5+ years of hands-on experience as an offensive penetration tester / red teamer
- Demonstrated depth in application security and mobile security pentesting
- Demonstrated depth in red team exercises, APT simulations and cloud systems
- Experience performing manual secure code review on production codebases.
- Track record of leading complex technical assessments end-to-end as an individual contributor - threat modeling, scoping, executing, and technical reporting.
- Working knowledge of core privacy concepts such as data minimization, data sovereignty, data sharing, consent, and privacy policies, with the ability to translate them into security testing scenarios.
- Familiarity with major privacy regulations (e.g., GDPR, CCPA) and how they map to technical controls. Ability to understand and apply foundational privacy concepts in a security testing context.
Preferred Qualifications:
- Experience pentesting across several different technology stacks (web, mobile, backend services, cloud).
- Strong working knowledge of privacy concepts such as data minimization, data sovereignty, data sharing, consent, and privacy policies - and the ability to threat model around them to find privacy-specific vulnerabilities.
- Working understanding of privacy regulations and compliance requirements (e.g., GDPR, CCPA), and how they translate into technical controls.
- Deep understanding and experience with common offensive testing frameworks such as MITRE ATT&CK.
- Proficiency in a scripting language for tooling, automation, and code review at scale.
- Visible contributions to the security or privacy community — public research, talks, blog posts, bug bounty findings, CVEs, OSS tooling, etc.
About TikTok
TikTok is the leading destination for short-form mobile video. At TikTok, our mission is to inspire creativity and bring joy. TikTok's global headquarters are in Los Angeles and Singapore, and we also have offices in New York City, London, Dublin, Paris, Berlin, Dubai, Jakarta, Seoul, and Tokyo.
Why Join Us
Inspiring creativity is at the core of TikTok's mission. Our innovative product is built to help people authentically express themselves, discover and connect – and our global, diverse teams make that possible. Together, we create value for our communities, inspire creativity and bring joy - a mission we work towards every day.
We strive to do great things with great people. We lead with curiosity, humility, and a desire to make impact in a rapidly growing tech company. Every challenge is an opportunity to learn and innovate as one team. We're resilient and embrace challenges as they come. By constantly iterating and fostering an Always Day 1 mindset, we achieve meaningful breakthroughs for ourselves, our company, and our users. When we create and grow together, the possibilities are limitless. Join us.
Diversity & Inclusion
TikTok is committed to creating an inclusive space where employees are valued for their skills, experiences, and unique perspectives. Our platform connects people from across the globe and so does our workplace. At TikTok, our mission is to inspire creativity and bring joy. To achieve that goal, we are committed to celebrating our diverse voices and to creating an environment that reflects the many communities we reach. We are passionate about this and hope you are too.
