If you have questions about Fluid Attacks
products or the selection
process, please read through the FAQ
list. You might find the answer
to your question here:
Before Entering
1. I already applied in a job portal.
Why haven’t I been invited to the process?
After you apply to a position listed on any of the portals we are
registered in, it takes from 1
to 2
days for us to identify
potential candidates, classify them, and send invitations via email. If
you apply and have not received an invitation or other notification
after 2 consecutive business days, and you believe your profile fits the
position, send us an email query at
[email protected].
2. The test application won’t allow me to exit Moodle. What should I do?
If you already finished the exam, click the button located on the lower right side of the screen to exit. If this doesn’t work, try restarting your machine. Don’t worry, you have already sent the test and there won’t be any data loss.
3. I don’t know what position I applied for. How can I find out?
Ask us via email at [email protected].
4. If I already applied for a specific position, can I apply again?
Using the same application but for different positions?
Yes. If it has not been more than six months, you can send us an email at [email protected] telling us you want to apply for a different position using your original application. If it has been more than six months since your last application you cannot use your original application; you must apply again starting at the beginning.
5. Can I apply for two different positions at the same time?
Yes. You can apply for as many positions as you believe you qualify for; just send us an email via [email protected] telling us which positions you want to apply for.
6. What experience should I already have in order to apply for positions?
You don’t need to have any experience. What is essential is the ability to do research, solve issues, and be capable of teaching yourself.
7. What do I need to know to apply for positions?
We look for talented people with great potential and flexibility. It doesn’t matter what your career currently is or if you haven’t graduated yet. What matters is your ability to adapt and follow our philosophy and values. It is preferable if you have experience with programming languages, but it is not mandatory. We value your ability to successfully address a problem, more than your professional degrees. Our selection process is designed to encourage you to acquire knowledge yourself and then use it to problem-solve.
8. Does the company offer on-the-job training?
At Fluid Attacks
we do not require work experience, nor do we certify
the knowledge you acquire while working with us. We do not offer
on-the-job training. It is up to you to acquire the knowledge you may
need and have the ability and the capability to overcome technical
challenges and successfully complete the immersion stages. We evaluate
all your abilities, including the attitude, perseverance, and
productivity you exhibit during the selection process since all of these
are necessary for any role in our organization.
9. The application test doesn’t work. What should I do?
Try executing the test as an administrator. If the problem persists, you should try accessing the test from a different computer. If you still have problems send us an email via [email protected].
10. I didn’t receive the attached file for data analysis. How do I get it?
Try downloading the file from here.
11. I ran out of time for the test. Can I get more time?
If you have a valid reason (application lockouts, unexpected restarts, connection issues), send us an email at [email protected] explaining what happened and we will tell you how to proceed.
12. I couldn’t send my data analysis. What should I do?
If you believe you have a valid reason for not meeting the data analysis deadline, send us an email at [email protected] telling us why you didn’t meet it, and ask for a new delivery date.
13. What should I put in my portfolio?
You can find instructions and advice for creating your portfolio here.
14. What should I do after I’ve finished the character test?
Once the character test is completed, you will receive your test results within minutes. While you wait, we suggest you go to the next stage and begin the knowledge test.
15. Do I have to take the polygraph test?
In most cases, this test is not mandatory during the selection process. However, since our business is information security, it may be necessary for you to take this test depending on the position you are applying for.
16. Do I have to take the Gallup test?
This test is only required in certain cases. Please notify us via email when you reach this stage, and we will tell you whether or not you need to take it.
17. Does this process perform a risk analysis with my data?
Yes, in the stage before hiring, confirmation is made on the central risk concerning any of your candidate data.
18. I haven’t notified my current employer that I am applying for a job
with another company. Is the reverse references stage mandatory?
Because this is an advanced stage in the selection process, yes, it is mandatory.
19. Is it mandatory to complete all of the stages in the process?
Not necessarily.
It depends on the position you applied for and your selection process. We will tell you how to proceed, and as always, if you have any questions, contact us.
20. What does offer validity time mean?
It is the length of time Fluid Attacks
will hold open a job offer made
to a specific candidate. If during this time the candidate does not
respond with explicit and written acceptance of the job offer, the offer
will become invalid. Another candidate will then be offered the job.
This allows us to fill positions as soon as
possible.
21. If I do not accept the offer, what happens to my immersion process?
Your immersion process ends immediately.
Fluid Attacks
will remove access to all training systems and notify
you of the total work hours to be put on your monthly time-worked
invoice.
Applied to Employees
1. What are the responsibilities of my job?
Fluid Attacks
strives to be agile and flexible, capable of adapting to
changes at high speed. To accomplish this goal, we keep each work team
around 50
team members. In addition, we require generic roles and a
lot of teamwork, which allows co-workers to augment each other’s
strengths and overcome weaknesses. Because of this, each profile is
grouped in one of these roles: technical and non-technical.
In technical roles the responsibilities are typically: hack systems, audit source code, develop attack exploits, develop tools for hackers, document found vulnerabilities, configure infrastructure as code, perform peer review, present reports to customers, share knowledge with customers and co-workers, migrate obsolete information, and create new information, among others.
In non-technical roles the responsibilities are typically: customer
management, technical pre-sales, marketing, representing Fluid Attacks
to other companies, conference or seminar speakers, and crisis
management, among others.
In short, the responsibilities defined for each role can be flexible, and we expect you to contribute ideas and adapt, depending on the needs of the company. We truly appreciate high technical skilled employees who, after fulfilling technical roles, can gradually migrate to non-technical roles.
2. What kind of contract does Fluid Attacks offer?
At Fluid Attacks
we offer one type of contract: A labor contract for
an indefinite period with all the benefits required by law, as well as
other financial contributions to healthcare, retirement fund,
allowances, layoffs, all paid on 100% of the salary amount. All
employees have the same type of contract regardless of their
role.
3. Does the salary offer coincide to the amount deposited into my account?
No, the salary offer corresponds to the gross salary. The net salary
will depend on your personal variables, such as the amount you want to
contribute to retirement funds, and the number of dependents you declare
for tax purposes, among others. However, in the following
link you can
simulate an approximated value for your net salary. Enter the proposed
salary in the first field (Salario
). Then press Calcular
. In the
monthly net compensation field, you will find an approximated amount of
money which will be your monthly take-home pay. This is your approximate
net salary which will be deposited into your
account.
4. Why is there a difference between the gross salary and the net salary?
See the answer to the question above. In addition to the personal variables that you control which impact your net salary, there are also salary deductions required by law which support governmental programs. These deductions are determined by the government, and cannot be modified by the employer or the employee.
5. As an employee, do I have to pay my own social security deduction?
No. Fluid Attacks
withholds from your paycheck all deductions and
forwards them to the appropriate agencies (EPS
, retirement funds,
compensation funds, etc.). Your net salary is, therefore, the money that
is directly deposited into your bank account.
6. Do you ever change the salary offer?
No. Each salary offer is carefully assessed by a hiring committee of 3
to 5
Fluid Attacks
upper-level managers. Each offer is based on
salaries for comparable positions within Fluid Attacks
and is aligned
with Fluid Attacks
employees at the same performance and productivity
level. Fluid Attacks
also takes into consideration the compensation
offered by other companies, including those in different business
sectors, for comparable positions. For this reason, the salary offer you
receive represents our best and only offer. As an employee’s
productivity, performance, knowledge, and responsibilities increase
opportunities exist to increase their salary as well.
7. Does Fluid Attacks have a variable salary?
No, we don’t. We believe using a variable salary causes more problems than it solves.
8. What additional benefits do I have as an employee?
- Prepaid Healthcare.
- Forgivable loans for hacking certifications exams.
- Time to study for hacking certifications.
9. How does Fluid Attacks support an employee’s training and development?
With time and money:
In time: The time you put into training, on workdays or weekends, can be reported and is then subject to compensation.
In money: Fluid Attacks pays for the professional certification tests you take which enhance your value as an employee.
10. Is it mandatory to train for professional certifications?
No. It’s a professional development option that Fluid Attacks
offers
to its employees. However, training for and receiving professional
certifications can only enhance an employee’s ability to take on new
roles and responsibilities, as needed, within Fluid Attacks
.
11. When does my certification time start? Is it negotiable?
It is not negotiable. All the certifications sponsored by Fluid Attacks
follow the same funding model. However, this model allows
certain variations. For example, an employee can decide to not pursue a
professional certificate or to pay for the certifications or the
materials themselves, in which case the funding is not required. It is
also possible to quit before the 48
months time period and the funding
will then be proportional. Finally, any professional certification,
along with the knowledge acquired, is a skill the employee takes with
them when or if they leave the organization.
12. What happens if I do not pass the certification test?
Nothing happens if you do not pass the certification test unless you are
not willing to keep trying. While Fluid Attacks
values the results of
a test, we also highly value the experience and knowledge you gain by
going through the process; this is why there is no salary adjustment
when you obtain certification nor when you fail to obtain it. Fluid Attacks
may sponsor your retests indefinitely, as long as there is
evidence, as reflected in your training time reports, of your continued
effort to gain certification. We have people who have taken the same
certification test multiple times, always with the sponsorship of Fluid Attacks
. Finally, if you don’t pass and don’t want to keep trying to
pass, there would be a monthly salary deduction during the following
24
months and in case of your resigning your position, this amount
will be subtracted from the settlement pending balance.
13. What is the exact amount of the certification funding?
The exact value is determined at the time of purchase because it varies
depending on the certification, the components you want to cover (test
or official material), price variations on the vendor’s side, etc. For
reference purposes, certifications cost between $300
and $1000 USD
.
14. How should I manage my time?
Every talent should agree with their direct leader the personal
reference schedules of 48
hours per week from Monday to Friday,
starting at 7 AM
. This reference schedule must intersect 75%
of our
customers schedules (7AM
a 6PM
COT). However, this schedule is a
reference, you must take into account the timing of your duties,
notifying in due time without asking permissions about the exceptions on
your reference schedule. This grants you autonomy and freedom without
paperwork when your role and compromises allow it. There are zero
tolerance on failures to comply deadlines or third party meetings
either with customers or coworkers.
15. Can I adjust my schedule if I’m currently studying?
In the framework of the previous answer, yes.
16. How does the time report record my work?
We use an automated time report system called TimeDoctor
. TimeDoctor
tracks activities in real-time, without any additional input from the
employee. This system logs all the activities performed by an employee
while they are working. It can also be disabled when an employee is not
working and needs to perform personal activities. There is no expected
total working timeshare. In exceptional cases when an employee exceeds
48
hours per week, the organization adjusts assignments and grants
compensatory days as soon as possible.
17. If the work schedule is 48 hours/week
why doesn’t the reported pay reflect 48 hours/week? The reference
schedule only defines the work availability expectation for an employee.
We understand that each person has a different work pace which may vary
from week to week, for this reason, expecting a rigid 48-hour
workweek
every week is unrealistic.
18. Does Fluid Attacks have a dress code?
It depends on whether you are working at a Fluid Attacks'
facility or
onsite at the client’s facility:
When working at a Fluid Attacks
facility there is no dress code. We
suggest you dress comfortably in business casual attire.
When working at a client’s facility we expect you to comply with the client company’s dress code.
19. Do I have to work on weekends or at night?
Ordinarily Fluid Attacks
does not ask you to work nights or weekends,
however, it may happen from time to time. In a worst-case scenario, in a
year we may ask you to work 4
weekends and 10
nights. This does not
include situations where you may have to work weekends or nights in
order to meet a client company’s project deadline or meet your work
commitment.
20. Where will I be working?
Employees work either at Fluid Attacks
facilities or at our client
company’s facilities.
21. Does Fluid Attacks allow telecommuting?
See the answer to question 20 above. Fluid Attacks
does not allow
telecommuting. Work must be done on-site. However, exceptions can be
made allowing telecommuting in extreme and extraordinary cases.
22. Can I schedule my vacations ahead of time?
At Fluid Attacks
, you can schedule vacations even if you haven’t yet
finished your work probationary period. Vacations must be requested with
a minimum of 30
calendar days advance notice and for a minimum of 5
days including weekends. When we receive your vacation request it is
placed, along with vacation requests from other employees, in the order
in which we received it. Therefore, those who have requested vacation
time before you, will be granted vacation time, also before you. If you
have an exceptional event that you have to attend, you don’t need to
request vacation time, just notify your supervisor.
23. When do I get a salary review?
Salary reviews are done under 3
possible circumstances. The first
circumstance is the yearly review. The yearly review is mandatory, is
initiated by Fluid Attacks
, and occurs after an employee has worked
for 12
months with the same salary. The second circumstance is the
extemporaneous review. Extemporaneous reviews are optional, are also
initiated by Fluid Attacks
, and occur before an employee has worked
for 12
months with the same salary. The third circumstance is the
requested review. Requested reviews are initiated by, and at, the
employee’s request.
24. What are the possible outcomes of a salary review?
A salary review can result in a determination that your current salary is appropriate and hence, the salary is not changed, or it may be slightly adjusted regarding the legal minimum wage of the previous year. A salary review can also result in re-scaling, which means your current salary would be adjusted to a higher scale.
25. What factors determine my salary?
Your salary is determined by 3 factors: historical performance, long-term alignment, and group payment capacity.
Historical performance, within the framework of Fluid Attacks'
values
and processes, is represented as a constant value generation.
Long-term alignment indicates that your career goals are completely
aligned with the needs of our company. Therefore, your long-term career
plan can be fully realized through your work with Fluid Attacks
.
Group payment capacity is an external factor which defines the ability
of Fluid Attacks
to fulfill commitments on a long-term basis.
26. What factors DO NOT determine my salary?
Your salary is not affected by factors such as your academic
achievement, professional certifications, seniority, work experience
inside or outside Fluid Attacks
, professional position within Fluid Attacks'
hierarchy, previous salaries you may have received in
different companies, or your current salary expectations. See the
question above for the factors that determine salaries. This means that
there could be hackers or programmers with higher salaries than their
bosses, and people with basic education earning more than people with
masters degrees. Attaining professional certifications does not
necessarily increase your salary. Salaries are only increased if
historic performance and long-term alignment are improved as a result of
the new certifications, and therefore, result in an increase in the
employee’s knowledge and skills, and if Fluid Attacks
can afford such
an increase in the long
term.
27. How does Fluid Attacks determine the salary factor for a new employee?
For a new employee who has never previously worked for Fluid Attacks, historic performance and long-term alignment is defined by the new employee’s selection process. This is why the selection process is strict and rigorous. However, there can be two possible failures within this system. One is an underestimation of the new employee’s skills, abilities, and knowledge in which case we would perform an extemporaneous salary review. The other is an overestimation of skills, abilities, and knowledge which would result only in an inflation adjustment in a yearly salary review.
28. What would be my estimated salary after one year?
See question 23.
29. What are the available salary ranges?
At Fluid Attacks
salaries range from $1.4M COP to $14M COP. These
values follow an exponential distribution, meaning there are more people
in the lower salary range and fewer people in the higher salary range.
30. What does Fluid Attacks expect from a new employee?
At Fluid Attacks, we have three unchanging, non-negotiable values:
HONESTY: We expect new employees to strictly abide by our ethics
code, to follow our working philosophy, to always speak the truth using
defined channels and in a respectful manner. We expect all employees,
regardless of how long they have worked for Fluid Attacks, will exercise
maximum security in safeguarding our company’s and customer’s
confidential information. In addition, our expectation is that employees
will use their hacking knowledge in a responsible manner. Do not hack
without authorization, even outside Fluid Attacks
.
TEAMWORK: We expect new employees to help their coworkers, whether team-players or team-leaders, in tasks the new employee may not like but the work requires. We expect new employees to work in a dedicated and focused manner on all assigned projects. We prefer projects to be finished early, but not at the expense of sacrificing work quality.
DISCIPLINE: We expect new employees to self-manage without constant
supervision, to meet all deadlines without excuses, to arrive on time
for all commitments and meetings with customers and coworkers, to send
deliverables with zero adjustments, to work on the issues of the
client’s company with effort and integrity, and to actively innovate
and start to improve our client’s company and Fluid Attacks
.
+ Finally, we expect that all three unchanging, non-negotiable values will always be practiced and that over time will be used effortlessly, consistently and with effectiveness.
31. What are Fluid Attacks' technical expectations from a new employee?
Our motto says, "Find all vulnerabilities and report them as soon as possible." To meet this expectation a new employee must:
-
Program in innovative and functional ways.
-
Generate daily value in production deployments.
-
Search for ways to make things work. Do not make excuses to avoid doing them.
-
Hack the customer’s systems without being detected.
-
Extract as much information as possible from every customer’s system to help them understand the real impact of a vulnerability.
-
Document all vulnerabilities immediately after finding them.
-
Report all existing vulnerabilities.
-
Notify customers about installed backdoors, and uninstall them after finishing the project.
-
Hack as many systems as possible in the assigned time.
-
Find critical vulnerabilities including those that may not be obvious.
-
Share with and willingly teach coworkers any new hacking techniques.
-
Make meaningful contributions to Fluid Attacks' products.
-
Focus on your default activity when a lockout comes out (migration, product, blog articles, etc).
-
Search for solutions independently.
-
Be willing to learn, improvise, and create when a solution is not easily found. Ask for help if you need it, but do not simply expect someone else to solve it.
In general, we look for dedicated persons who are willing to share their knowledge and fulfill their roles with no excuses.
32. Can I grow professionally at Fluid Attacks?
At Fluid Attacks
we classify growth in 3 different areas: authority,
knowledge, and money.
Growth in authority is usually low since we do not intentionally try to
grow our workforce but to have highly competitive products instead.
Therefore, our managerial positions are open only when someone leaves a
position or when there are personnel retirements. Our current CEO
started as a Support Engineer 10 years ago.
Growth in knowledge is high since we, not the customer, control the technologies we use. We constantly update our tools because we audit many customers and, therefore, we must learn the most current and emergent technologies within a very short timeframe. The projects are short and the learning is constant. In the security and hacking area, we have the experience and the track record to be considered the largest hacking company in Latin America.
Growth in money tends to be in the midrange because salaries at Fluid Attacks
are not only attached to the growth in authority (non-technical
scale) but also to the growth in knowledge (technical scale). This is
why it is common to find engineers with higher salaries than their
bosses (see question 23).
33. Can my role evolve over time and in accordance
with my acquired knowledge and certifications? Seniority,
certifications, and knowledge do not guarantee the evolution of your
role. An employee may occupy the same role for a long time, have many
certifications, learn many new technologies, and still not improve their
performance, or use these factors to improve Fluid Attacks
. For this
reason, none of the previously mentioned variables can guarantee the
evolution of the role. As an employee, you can evolve if your
performance keeps improving every trimester, if you follow the defined
process, and if you consistently deliver high-quality
results.
34. How does Fluid Attacks honor a performance that exceeds the expected?
Fluid Attacks
has a simple philosophy. If you consistently perform
over the expected, you are rewarded through a salary re-scaling. The
reward is more significant if it’s made within the first 12
months.
The reward is always made in private and results in a higher standard
for the future performance of the employee, and hence another re-scaling
will be more difficult to obtain.
35. If my salary is not re-scaled, am I doing something wrong?
No. If in a yearly salary review there is no salary re-scaling it means
that the assigned salary corresponds to the historical performance and
long-term alignment of Fluid Attacks
, and is equivalent to our other
employees within the same variable salary range. The more time an
employee spends with Fluid Attacks
, the farther their salary moves
into the salary range of the employees within that particular salary
re-scaling group. These re-scalings, in turn, become less often. If an
employee achieves a higher salary range, but their performance or
long-term alignment is less than that expected by Fluid Attacks
, a
private conversation and an improvement plan will be initiated. The
requirements of the improvement plan must be met within a stated
time-frame or the employee risks termination of employment.
36. What is our technology stack?
All our technology is on AWS
, using
Kubernetes
for ephemeral and production
environments, as well as for CI/CD
agents. Our infrastructure as code
is made through Terraform
,
Ansible
and
Dockerfile
. We use Gitlab as a Service
for these processes' orchestration
(git
, docker registry
, issues
, etc). The service backends
and
attack weapons are developed in Python
, our
frontend
is currently in migration to React
under Typescript
only with
stateless components. The backend
is in migration to
GraphQL
. All the documentation and the web
page is built on AsciiDoc
using a static
generation strategy via Pelican
. The
operative systems on each workstation depend on the employee’s
preferences, but we have a lot of
Debian
and security derivated
such as Kali
. Some renegades use
Arch
or NixOS
.
Inside AWS
we use serverless services like
Dynamo
for databases,
S3
for high speed storage and
RDS
for relational databases. For
clusters
we use EKS
to avoid the
maintenance of complex cluster components. We use external services such
as Okta
for identity federation,
Rollbar
for telemetry, Rocket Chat
for chatops,
Pluralsight
for
productivity analytic, Mozilla SOPS
for secrets management, Helm
for cluster
management, Launch Darkly
for feature
flags, Burp
for web attacks,
Canvas
for
infrastructure attacks,
Nessus
for preliminary vulnerability analysis, among others.
37. What is our development methodology?
Fluid Attacks
documents, programs and configures infrastructure
through source code. This allows an extensive use of Git
, a rigorous
control of the changes and all rollback
advantages. We follow a
trunk-based development
as baseline, having a unique long-term
environment (production) associated with a unique branch (master
).
There are no other environments or feature branches. We work under a
mono-repo
philosophy, and therefore, we have relatively few repos.
Each developer has only one branch (zero inventory) and developer
branches must integrate to the master branch after a Merge Request
.
This means Merge Commits
are not allowed. Our history is lineal and
hence, a constant rebasing is imperative. There are no test analysts or
quality assurance, therefore the manual tests are performed by the
developer following the established evidence protocol that must contain
every Merge Request
. The developer is responsible for the automation
tests, whether unit or integration. Some products already have a test
suite with over 90%
coverage on their effective lines of code. Every
developer is responsible for their changes (real Devops
), for
monitoring the technologies through telemetry tools (chatops
) and to
perform rollback
if necessary. We use CI/CD
tools extensively on
each production deployment, reaching the sum of 5.7 daily
deployments. Every deployment can be made anytime, so there are not
system maintenance periods, nor late-night actions associated. We expect
every developer to deploy at least 1
change per day, with it being
desirable that they deploy more than 1
. To this end, we use the
micro-changes
philosophy (production deployments with less than 100
deltas) in addition to Feature Flags activation if necessary. The CI
runs the linters in strict mode (breaking the build in the presence
of the least anomaly), this allows the applications to be easy to
maintain and evolve because the code is so homogeneous that it is not
known who programmed it. All the changes must pass through a Peer Review
process before the integration to the master branch. This
process is made by a coworker with deep knowledge of the repository
(merger) and who rejects approximately 30%
of the Merge Requests
,
forcing the developer to review and resend the changes in a new Merge Request
(transactions over conversations). Infrastructure is immutable,
therefore the containers don’t have SSH
or RDP
management interfaces
for modifications. This makes root users obsolete, as well as the
associated key management. All of the above means we do not use Scrum
nor any derivation since we consider it obsolete for this ultra-fast
development approach.
38. What is our long-term technological vision?
Our long-term technological vision is to publish, on the internet, all our application and infrastructure repositories. We believe that transparency in source code forces us to comply with the highest security and quality standards. This helps us convey to the public that they are capable of auditing and reviewing code themselves, helps them build confidence in the work done, and forces us to remove any key or sensitive information stored in the code, thus allowing us to disclose the work done by our engineers. We believe in simple architectures, even monoliths. The micro-services based on the size of our organization represent an architectural over-sizing instead of a real need. We believe in functional programming even in languages that don’t require it. For us, this reveals more about our conviction regarding how to code rather than a philosophical debate about tools. In this sense, we prefer static typing over dynamic, even if it’s achieved using additional linters. The goal is to stick to existing tools instead of reinventing the wheel.