Summary Information about the Role

​

At Freddie Mac, you will do important work to build a better housing finance system and you’ll be part of a team helping to make homeownership and rental housing more accessible and affordable across the nation.

​

Position Overview:

​

The Freddie Mac Red Team is responsible to test the overall strength of our organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. We are seeking an Information Security Tech Lead to assist the team by providing subject matter expertise in Penetration testing of Infrastructure and Networks, Web Applications, Cloud and Social engineering, and Purple Team. In this role, the candidate will provide enhanced vulnerability analysis and contextual feedback to stakeholders to support the resolution of discovered vulnerabilities and facilitate risk awareness.

​

​

Company Overview

​

Today, Freddie Mac makes home possible for one in four home borrowers and is one of the largest sources of financing for multifamily housing. Join our smart, creative and dedicated team and you’ll do important work for the housing finance system and make a difference in the lives of others.

​

We are an equal opportunity employer and value diversity and inclusion at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by applicable law. We will ensure that individuals with differing abilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation.

​

A safe and secure environment is critical to Freddie Mac’s business. This includes employee commitment to our acceptable use policy, applying a vigilance-first approach to work, supporting regulatory mandates, and using best practices to protect Freddie Mac from potential threats and risk. Employees exercise this responsibility by executing against policies and procedures and adhering to privacy & security obligations as required via training programs.

• Simulate real-world threat actors targeting the organization’s people, processes, and technology to expose risk within the environment.
• Develop custom exploits, tooling, and infrastructure to evade defensive controls and further team objectives.
• Go beyond Nessus scanning to lead red team assessments and penetration tests playing a critical role in their success.
• Work closely with defensive analysts to update detections and ensure adequate coverage after an operation is complete.
• Collaborate with stakeholders to scope prospective engagements and provide thorough out briefings after assessments are complete. Provide guidance on vulnerability remediation and track progress through to completion.
• Contribute to the development and improvement of security policies, standards, and guidelines.
• Demonstrate a team-oriented mindset adept at learning the latest technologies; train and mentor less experienced team members on penetration tactics and techniques.
• Generate innovative ideas and challenge the status quo.
• Develop scripts, tools, or methodologies to enhance the Red teaming processes and capabilities.
• Participate in and actively support mentoring with other members of the team.
• Assist with scoping prospective engagements, leading engagements from kickoff through remediation, and mentoring less experienced staff.

Required Qualifications

​

• 8-10 years of relevant experience performing penetration testing, offensive security assessments, Purple Team engagements.
• One or more technical certifications: OSCP, OSWE, OSED, OSEP, OSEE, GPEN, CRTO, GXPN, or similar.
• Experience with one or more Object Oriented language (C/C++, C#, Go, etc).
• Working knowledge of one or more scripting language (Python, PowerShell, BASH, etc.).
• Experience bypassing modern defensive controls such as EDRs, network defenses, email filters, etc.
• Experience creating custom tools and modifying existing tools to automate workflows and simulate threat actor activities.
• Experience hunting for vulnerabilities and developing exploits.
• In-depth knowledge of cloud technologies as it relates to crafting red team infrastructure, and offensive security testing.
• Advanced usage of Cobalt Strike or similar C2 framework including creation of Aggressor Scripts, Beacon Object Files (BOF), and associated infrastructure.

​

Preferred Qualifications

​

• Leadership
• Strong communication skills
• Ability to work independently, as well as effectively work in teams with individuals with a variety of skills and backgrounds

Current Freddie Mac employees please apply through the internal career site.

​

Notice to External Search Firms: Freddie Mac partners with BountyJobs for contingency search business through outside firms. Resumes received outside the BountyJobs system will be considered unsolicited and Freddie Mac will not be obligated to pay a placement fee. If interested in learning more, please visit www.BountyJobs.com and register with our referral code: MAC.

​

Time-type: Full time

​

FLSA Status: Exempt

​

Freddie Mac offers a comprehensive total rewards package to include competitive compensation and market-leading benefit programs. Information on these benefit programs is available on our Careers site.

​

This position has an annualized market-based salary range of $150,000 - $224,000 and is eligible to participate in the annual incentive program. The final salary offered will generally fall within this range and is dependent on various factors including but not limited to the responsibilities of the position, experience, skill set, internal pay equity and other relevant qualifications of the applicant.

Position Overview:

​

The Freddie Mac Red Team is responsible to test the overall strength of our organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. We are seeking an Information Security Tech Lead to assist the team by providing subject matter expertise in Penetration testing of Infrastructure and Networks, Web Applications, Cloud and Social engineering, and Purple Team. In this role, the candidate will provide enhanced vulnerability analysis and contextual feedback to stakeholders to support the resolution of discovered vulnerabilities and facilitate risk awareness.

​

Company Overview:

​

At Freddie Mac, you will do important work to build a better housing finance system and you’ll be part of a team helping to make homeownership and rental housing more accessible and affordable across the nation.

​

Today, Freddie Mac makes home possible for one in four home borrowers and is one of the largest sources of financing for multifamily housing. Join our smart, creative and dedicated team and you’ll do important work for the housing finance system and make a difference in the lives of others.

• Lead and perform web application penetration assessments, collaborating with stakeholders to scope engagements, translate complex security concepts, and provide tailored remediations
• Proactively search for vulnerabilities in web applications, web APIs, cloud environments, etc. throughout Freddie Mac
• Work together with other Red Team members to integrate web application security into broader threat emulation scenarios
• Develop and maintain scripts, tools, and methodologies to enhance processes and capabilities
• Provide mentorship and technical guidance to less experienced team members
• Contribute to the development and improvement of security policies, standards, and guidelines

​

• Generate innovative ideas and challenge the status quo
• Develop scripts, tools, or methodologies to enhance the Red teaming processes and capabilities
• Participate in and actively support mentoring with other members of the team
• Assist with scoping prospective engagements, leading engagements from kickoff through remediation, and mentoring less experienced staff

Required Qualifications

• 8-10 years of relevant experience in web application penetration testing
• One or more technical certifications: OSWA, OSWE, Burp Suite Certified Practitioner, eWPT, eWPTX
• Ability to critically examine web applications to identify, exploit, and remediate vulnerabilities (SQL injection, XSS, SSRF, CSRF)
• Solid understanding of related web technologies (HTTP, DNS, HTML, JavaScript, REST, GraphQL, Java, .NET, SQL/noSQL, OAuth) and infrastructure (cloud native, containers, proxies, webservers, PaaS)
• In-depth knowledge of secure development practices (DevSecOps, secure code review) and security frameworks (OWASP, CWE, MITRE)
• Proficient with common web application penetration testing tools (Burp Suite, Project Discovery, sqlmap)
• Familiarity with WAF bypasses

​

Preferred Qualifications

• Web-related public research (advisories, disclosures)
• Previous Bug Bounty or vulnerability disclosure experience
• Proficiency in at least one scripting or programming language (Python, JavaScript, C#, Java)

Current Freddie Mac employees please apply through the internal career site.

​

We are an equal opportunity employer and value diversity and inclusion at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by applicable law. We will ensure that individuals with differing abilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation.

​

A safe and secure environment is critical to Freddie Mac’s business. This includes employee commitment to our acceptable use policy, applying a vigilance-first approach to work, supporting regulatory mandates, and using best practices to protect Freddie Mac from potential threats and risk. Employees exercise this responsibility by executing against policies and procedures and adhering to privacy & security obligations as required via training programs.

​

CA Applicants:  Qualified applications with arrest or conviction records will be considered for employment in accordance with the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act.

​

Notice to External Search Firms: Freddie Mac partners with BountyJobs for contingency search business through outside firms. Resumes received outside the BountyJobs system will be considered unsolicited and Freddie Mac will not be obligated to pay a placement fee. If interested in learning more, please visit www.BountyJobs.com and register with our referral code: MAC.

​

Time-type:Full time

​

FLSA Status:Exempt

​

Freddie Mac offers a comprehensive total rewards package to include competitive compensation and market-leading benefit programs. Information on these benefit programs is available on our Careers site.

​

This position has an annualized market-based salary range of $150,000 - $224,000 and is eligible to participate in the annual incentive program. The final salary offered will generally fall within this range and is dependent on various factors including but not limited to the responsibilities of the position, experience, skill set, internal pay equity and other relevant qualifications of the applicant.

Position Overview:

​

The Identity and Access Management (IAM) Senior tech lead is responsible for leading engineering related initiatives to build, enhance, and deliver IAM products and services focused on access provisioning, deprovisioning, access reviews, authentication, identity management, privileged access and service account management, monitoring, and reporting. Candidate must be a strategic, thought leader, overseeing, and implementing industry standard best practices applicable to the Freddie Mac’s environment. The lead must oversee the development of security solutions that adhere to applicable policies and comply with information security requirements.

​

Company Overview:

​

At Freddie Mac, you will do important work to build a better housing finance system and you’ll be part of a team helping to make homeownership and rental housing more accessible and affordable across the nation.

​

Today, Freddie Mac makes home possible for one in four home borrowers and is one of the largest sources of financing for multifamily housing. Join our smart, creative and dedicated team and you’ll do important work for the housing finance system and make a difference in the lives of others.

• As part of IAM solution architecture and engineering team, you should drive business outcomes through tech solutions, must understand the business objectives (intended outcomes) and must identify feasible solutions that will enable/further those outcomes.
• Collaborate with Enterprise Architecture and Risk & Security groups to ensure new and existing solutions are aligned with enterprise standards.
• Formulate and manage a business and resource plan for the team to ensure appropriate resources are aligned to support IAM strategic plans, goals, and objectives.
• Partner with business and IT customers to drive product research, RFP/vendor interview from technical perspective and is responsible for communicating business cases for TAWG/ARB approvals.
• Work with other development leads on design brainstorming and design review to ensure alignment with current authentication patterns, and standards.
• Drive and adopt a culture driven by data - where key performance indicators are gathered from top to bottom and fed to automated.

Required Qualifications:

• Bachelor’s degree in computer science, Information Technology, or related field or equivalent work experience
• Minimum 10 years’ experience with developing and implementing identity and access management tools and solutions.
• Minimum 8 years’ experience managing and developing strong information security and/or technology teams.
• Understanding of IAM relevant technical solutions (such as SailPoint, MFA-Ping, Privileged Access Management: CyberArk). Fine-grained authentication policy enforcement and standardization via PlainID.
• Demonstrated experience with infrastructure technologies including Cloud, Lightweight Directory Access Protocol (LDAP), Security Assertion Markup Language (SAML), and MFA/SSO.

​

Preferred Qualifications:

• Ability to think strategically and communicate effectively at the most senior levels of the company to communicate the value and benefit of IAM solutions.
• Specific experience with NIST, PCI, or other information security related framework.
• Ability to convey technical information to all groups and individuals concisely and clearly both verbally and in writing to individuals with limited technical experience.
• CISSP, CISM, Cloud Security (CCSP, CCSK), or other information security related certification(s).
• Customer service driven, quality focused, and collaborative with effective and persuasive written and oral communication skills.

• We are an equal opportunity employer and value diversity and inclusion at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by applicable law. We will ensure that individuals with differing abilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation.

​

• A safe and secure environment is critical to Freddie Mac’s business. This includes employee commitment to our acceptable use policy, applying a vigilance-first approach to work, supporting regulatory mandates, and using best practices to protect Freddie Mac from potential threats and risk. Employees exercise this responsibility by executing against policies and procedures and adhering to privacy & security obligations as required via training programs.