Young hacker smiling

Zero false positives

Expert intelligence + effective automation

Frequently Asked Questions (FAQ)

If you have a question about the selection process, please read through the FAQ list before you contact us. You might find the answer to your question is already here.

Before Entering

  1. I already applied in a job portal.

    Why haven’t I been invited to the process?

    After you apply to a vacancy listed on any of the portals we are registered in, it takes from 1 to 2 days for us to identify potential candidates, classify them, and send invitations via email. If you apply and have not received an invitation or other notification after 2 consecutive business days, and you believe your profile fits the vacancy, send us an email query at

  2. The test application won’t allow me to exit Moodle. What should I do?

    If you already finished the exam, click the button located on the lower right side of the screen to exit. If this doesn’t work, try restarting your machine. Don’t worry, you have already sent the test and there won’t be any data loss.

  3. I don’t have a RUT. How can I complete the third party form?

    On the DIAN webpage you can find out how to get your RUT, or how to update it, if you already have one.

  4. I don’t know what vacancy I applied for. How can I find out?

    Ask us via email at

  5. If I already applied for a specific vacancy, can I apply again

    using the same application but for different vacancies?

    Yes. If it has not been more than six months, you can send us an email at telling us you want to apply for a different vacancy using your original application. If it has been more than six months since your last application you cannot use your original application; you must apply again starting at the beginning.

  6. Can I apply for two different vacancies at the same time?

    Yes. You can apply for as many vacancies as you believe you qualify for; just send us an email via telling us which vacancies you want to apply for.

  7. What experience should I already have in order to apply for vacancies?

    You don’t need to have any experience. What is essential is the ability to do research, solve issues, and be capable of teaching yourself.

  8. What do I need to know to apply for vacancies?

    We look for talented people with great potential and flexibility. It doesn’t matter what your career currently is or if you haven’t graduated yet. What matters is your ability to adapt and follow our philosophy and values. It is preferable if you have experience with programming languages, but it is not mandatory. We value your ability to successfully address a problem, more than your professional degrees. Our selection process is designed to encourage you to acquire knowledge yourself and then use it to problem-solve.

  9. Does the company offer on-the-job training?

    At Fluid Attacks we do not require work experience, nor do we certify the knowledge you acquire while working with us. We do not offer on-the-job training. It is up to you to acquire the knowledge you may need and have the ability and the capability to overcome technical challenges and successfully complete the immersion stages. We evaluate all your abilities, including the attitude, perseverance, and productivity you exhibit during the selection process since all of these are necessary for any role in our organization.

  10. The application test doesn’t work. What should I do?

    Try executing the test as an administrator. If the problem persists, you should try accessing the test from a different computer. If you still have problems send us an email via

  11. I didn’t receive the attached file for data analysis. How do I get it?

    Try downloading the file from here.

  12. I ran out of time for the test. Can I get more time?

    If you have a valid reason (application lockouts, unexpected restarts, connection issues), send us an email at explaining what happened and we will tell you how to proceed.

  13. I couldn’t send my data analysis. What should I do?

    If you believe you have a valid reason for not meeting the data analysis deadline, send us an email at telling us why you didn’t meet it, and ask for a new delivery date.

  14. What should I put in my portfolio?

    You can find instructions and advice for creating your portfolio here.

  15. I do not have a VISA. What should I put in that field?

    This field is not mandatory. Do not fill it in if you don’t have a VISA.

  16. What should I do after I’ve finished the character test?

    Once the character test is completed, you will receive your test results within minutes. While you wait, we suggest you go to the next stage and begin the knowledge test.

  17. Do I have to take the polygraph test?

    In most cases, this test is not mandatory during the selection process. However, since our business is information security, it may be necessary for you to take this test depending on the position you are applying for.

  18. Do I have to take the Gallup test?

    This test is only required in certain cases. Please notify us via email when you reach this stage, and we will tell you whether or not you need to take it.

  19. Does this process perform a risk analysis with my data?

    Yes, in the stage before hiring, confirmation is made on the central risk concerning any of your candidate data.

  20. I haven’t notified my current employer that I am applying for a job

    with another company. Is the reverse references stage mandatory?

    Because this is an advanced stage in the selection process, yes, it is mandatory.

  21. I’m very shy when presenting in public.

    Is it mandatory to do the audition?

    During the selection process this stage is optional. However, if you work at Fluid Attacks, we expect you to have excellent communication skills, regardless of the position you are hired for.

  22. Is it mandatory to complete all of the stages in the process?

    Not necessarily. It depends on the vacancy you applied for and your selection process. We will tell you how to proceed, and as always, if you have any questions, contact us.

  23. What does "offer validity time" mean?

    It is the length of time Fluid Attacks will hold open a job offer made to a specific candidate. If during this time the candidate does not respond with explicit and written acceptance of the job offer, the offer will become invalid. Another candidate will then be offered the job. This allows us to fill vacancies as soon as possible.

  24. If I do not accept the offer, what happens to my immersion process?

    Your immersion process ends immediately. Fluid Attacks will remove access to all training systems and notify you of the total work hours to be put on your monthly time-worked invoice.

After Entering

Fluid Attacks focuses on and specializes in Red Team testing. In regard to information security concepts, we take an offensive approach. We look for all the vulnerabilities and report them as soon as possible. Below are some Frequently Asked Questions (FAQ) new employees ask when they become part of our work team:

  1. What are the responsibilities of my job?

    Fluid Attacks strives to be agile and flexible, capable of adapting to changes at high speed. To accomplish this goal, we keep each work team under 50 team members. In addition, we require generic roles and a lot of teamwork, which allows co-workers to augment each other’s strengths and overcome weaknesses. Because of this, each profile is grouped in one of these roles: technical and non-technical.

    • In technical roles the responsibilities are typically: hack systems, audit source code, develop attack exploits, develop tools for hackers, document found vulnerabilities, configure infrastructure as code, perform peer review, present reports to customers, share knowledge with customers and co-workers, migrate obsolete information, and create new information, among others.

    • In non-technical roles the responsibilities are typically: customer management, technical pre-sales, marketing, representing Fluid Attacks to other companies, conference or seminar speakers, and crisis management, among others.
      In short, the responsibilities defined for each role can be flexible, and we expect you to contribute ideas and adapt, depending on the needs of the company. We truly appreciate high technical skilled employees who, after fulfilling technical roles, can gradually migrate to non-technical roles.

  2. What kind of contract does Fluid Attacks offer?

    At Fluid Attacks we offer one type of contract: A labor contract for an indefinite period with all the benefits required by law, as well as other financial contributions to healthcare, retirement fund, allowances, layoffs, all paid on 100% of the salary amount. All employees have the same type of contract regardless of their role.

  3. Does the salary offer correspond to the amount deposited into my account?

    No, the salary offer corresponds to the gross salary. The net salary will depend on your personal variables, such as the amount you want to contribute to retirement funds, and the number of dependents you declare for tax purposes, among others. However, in the following link you can simulate an approximated value for your net salary. Enter the proposed salary in the first field (Salario). Then press Calcular. In the monthly net compensation field, you will find an approximated amount of money which will be your monthly take-home pay. This is your approximate net salary which will be deposited into your account.

  4. Why is there a difference between the gross salary and the net salary?

    See the answer to question 3 above. In addition to the personal variables that you control which impact your net salary, there are also salary deductions required by law which support governmental programs. These deductions are determined by the government, and cannot be modified by the employer or the employee.

  5. As an employee, do I have to pay my own social security deduction?

    No. Fluid Attacks withholds from your paycheck all deductions and forwards them to the appropriate agencies (EPS, retirement funds, compensation funds, etc.). Your net salary is, therefore, the money that is directly deposited into your bank account.

  6. Do you ever change the salary offer?

    No. Each salary offer is carefully assessed by a hiring committee of 3 to 5 Fluid Attacks upper-level managers. Each offer is based on salaries for comparable positions within Fluid Attacks and is aligned with Fluid Attacks employees at the same performance and productivity level. Fluid Attacks also takes into consideration the compensation offered by other companies, including those in different business sectors, for comparable positions. For this reason, the salary offer you receive represents our best and only offer. As an employee’s productivity, performance, knowledge, and responsibilities increase opportunities exist to increase their salary as well.

  7. Does Fluid Attacks have a variable salary?

    No, we don’t. We believe using a variable salary causes more problems than it solves.

  8. What additional benefits do I have as an employee?

    Because we focus all our efforts on ensuring our employees receive a competitive and lucrative salary, we do not offer benefits that could reduce your upfront salary, such as gym memberships, prepaid healthcare, bonuses or food allowances, etc. Our commitment is to offer you a salary that values your knowledge, skills, and abilities; what you choose to do with that salary is then up to you. In addition, our contribution to your retirement funds is based on 100% of your salary, which means your retirement savings grow at their maximum level without being decreased by other benefits you may not want or use.

  9. How does Fluid Attacks support an employee’s

    continuous training and development?

    With time and money:

    • In time: The time you put into training, on workdays or weekends, can be reported and is then subject to compensation.

    • In money: Fluid Attacks pays for the professional certification tests you take which enhance your value as an employee.

  10. Is it mandatory to train for professional certifications?

    No. It’s a professional development option that Fluid Attacks offers to its employees. However, training for and receiving professional certifications can only enhance an employee’s ability to take on new roles and responsibilities, as needed, within Fluid Attacks.

  11. When does my certification time start? Is it negotiable?

    It is not negotiable. All the certifications sponsored by Fluid Attacks follow the same funding model. However, this model allows certain variations. For example, an employee can decide to not pursue a professional certificate or to pay for the certifications or the materials themselves, in which case the funding is not required. It is also possible to quit before the 48 months time period and the funding will then be proportional. Finally, any professional certification, along with the knowledge acquired, is a skill the employee takes with them when or if they leave the organization.

  12. What happens if I lose the certification test?

    Nothing happens if you lose the certification test unless you are not willing to keep trying. Fluid Attacks encourage the process over the results. For this reason, as well as when the certification is obtained there is no salary adjustment, also there are no adverse effects when it’s lost. Fluid Attacks may sponsor the retest if you wish, and this cycle can be repeated indefinitely, as long as there are evidence of effort and dedication to obtain it (training time reports). We have people who have presented the same test for over 4 times always with the sponsorship of Fluid Attacks. Finally if the talent doesn’t approve the tests and doesn’t wish to keep trying there would be a monthly salary deduction during the following 24 months and in case of retreat this amount will be subtracted from the settlement pending balance.

  13. What is the exact amount of the certification funding?

    The exact value is known only during the purchase, because it varies depending on the certification, the components you want to cover (test or official material), price variations on the vendor side, among others. For reference purposes, there are certification from 300 USD up to 1000 USD.

  14. How should I manage my time?

    Every talent should agree with their direct leader the personal reference schedules of 48 hours per week from Monday to Friday, starting at 7 AM. This reference schedule must intersect 75% of our customers schedules (7AM a 6PM COT). However, this schedule is a reference, you must take into account the timing of your duties, notifying in due time without asking permissions about the exceptions on your reference schedule. This grants you autonomy and freedom without paperwork when your role and compromises allow it. There are zero tolerance on failures to comply deadlines or third party meetings either with customers or coworkers.

  15. Can I adjust my schedule if I’m currently studying?

    In the framework of the previous answer, yes.

  16. How is it made the time report?

    We use a time report system called TimeDoctor which allows to track activities in real time, without additional efforts from the talent aside of the efforts dedicated to the customer and the project. This system logs all the activities performed by the talent while he/she is working, but it also can be disabled when the talent is not working and to perform personal activities. This allows us to keep a healthy balance between control and autonomy. There is no expected total working time share, we leave this value to the talent criteria. However in exceptional cases that a talent   exceeds 48 hours per week systematically,   the organization unilaterally adjusts its assignments,   in addition to granting compensatory days as soon as possible.

  17. Why is the reporting fee not 48h if the schedule is 48h?

    Because the reference schedule defines the availability expectation for the talent based on a focused dedication. We understand that each person has different work paces which may vary over weeks, for this reason, expecting a rigid dedication of 48 hours per week is unrealistic. Additionally, our method for measuring the effort is very accurate and strict and hence we focus on reporting the reality.

  18. Is there a dress code in Fluid Attacks?

    We can execute projects on Fluid Attacks facilities or in the customer facilities:

    • When we attend to Fluid Attacks facilities there is no dressing code. You may dress as comfortable as you want.

    • When we execute projects on the clients facilities we must know and comply with their dress code.

  19. Do I have to work on weekends or at night?

    It is not usual for the company to request for this situation. If it happens to occur is something exceptional. In order to assume the worst scenario, in a year we may ask you to work on 4 weekends and 10 nights. These values correspond to the company request and do not include the instances on which the talent have to work on weekends or nights in order to fulfill the schedule or the working fee.

  20. Where do I have to work?

    We can execute projects on Fluid Attacks facilities or in the customer facilities.

  21. Does exist teleworking in Fluid Attacks?

    Teleworking doesn’t exist as an alternative of on-site working. However, is it possible as an exception made to manage events of force majeure.

  22. Can I anticipate my vacations?

    In Fluid Attacks you can anticipate your vacations even if you haven’t finished your period. Vacations must be requested with minimum 30 calendar days of anticipation, and will be assessed regarding other vacation applications requested before by other employees (FIFO). You have to consider that the minimum vacation term must be of 5 days including weekends. If you have an exceptional event that you have to attend, you don’t need to request vacations for that, it suffices to notify the corresponding exception.

  23. When do I get a salary revision?

    The salary can be reviewed under 3 possible circumstances. The first, named yearly review, is mandatory and it occurs after 12 months with the same salary. The second, named extemporaneous review, is optional and it occurs before 12 months with the same salary. The third, named requested review, can be asked anytime by the talent. It is named requested review because the first two reviews are always made by Fluid Attacks without any request of the talent.

  24. What are the possible outcomes of a salary review?

    In any kind of review either yearly, extemporaneous or requested, there are only two possible outcomes: first, an inflation adjustment which results by determining that the current salary is appropriated and hence, the salary is not modified or it is slightly adjusted regarding the legal minimum wage of the previous year. The second, named re-scaling, results when the current salary must be adjusted to a higher scale.

  25. What factors determine my salary?

    The salary is determined by 3 factors: historical performance, long term alignment, and group payment capacity.

    • Historical performance corresponds to a constant value generation, in the framework of the company values and processes.

    • The long term alignment represents that your vision and Fluid Attacks' vision are completely aligned, and hence your career scheme can be fully developed in long term inside the company.

    • The group payment capacity is an external factor which defines the capacity of Fluid Attacks to fulfill all the commitments on a long term.

  26. What factors DO NOT determine my salary?

    The salary is not affected by factors such as: academic level, certifications, seniority, experience inside and outside Fluid Attacks, hierarchy, previous salaries in different companies or salary expectations. The salary is only defined by the factors mentioned in the previous question. This means that there could be hackers or programmers with higher salaries than their bosses, and people with basic education gaining more than people with master degrees. More certifications does not necessarily mean more salary, the salary is only increased if the historic performance and long term alignment is improved as a result of the new certifications and knowledge of the talent, and if Fluid Attacks can afford such increase in long term.

  27. How Fluid Attacks determines the salary factors for a new talent?

    The historic performance and long term alignment for a new talent that has never worked for Fluid Attacks are defined by regarding his/her selection process. For this reason, this process is strict and rigorous. However there can be two posible failure scenarios: underestimation, in which case we perform extemporaneous salary reviews, or overestimation, which results only on inflation adjustments in yearly salary reviews.

  28. What would be my estimated salary after one year?

    See question 23

  29. What are the available salary ranges?

    In Fluid Attacks there are salaries from $1.4M COP to $14M COP. For lower salaries there are more people in that range, for higher salaries there are less people. That means these values follow an exponential distribution.

  30. What does Fluid Attacks expect from a new talent?

    In Fluid Attacks we have three immovable and non-negotiable values:

    • HONESTY: We expect the talent to stick strictly to our ethics code, to genuinely accept our working philosophy, always speaking with the truth, using the defined channels and in a prudent manner. We expect an immaculate care of Fluid Attacks and customers confidential information, as well as a responsible use of the hacking knowledge. Do not hack without authorization, even outside Fluid Attacks.

    • TEAM WORK: We expect the talent to help his/her coworkers, either peers or leaders in the tasks they don’t like but the work nature requires. to work in a dedicated and focused manner in the assigned projects, preferentially finishing them early without sacrificing the quality.

    • DISCIPLINE: We expect the talent to self-manage without a leader, to comply the deadlines without excuses, to arrive on time for commitments and meetings either with customers or coworkers, to send deliverables with zero adjustments, to voluntary involve and try to solve the issues affecting the company, and to self empower through new horizons to improve the company.

      Finally, we expect these expectations to be fully fulfilled always, and to increase the rigor on its application over time.

  31. What does Fluid Attacks expect technically from a new talent?

    As our motto says: "Find all vulnerabilities and report them as soon as possible" for that, we expect the talent to:

    • Program in a fancy, functional way.

    • Generate daily value in production deployments.

    • Search ways to make things work instead of making excuses to avoid doing them.

    • Hack the customer systems without being detected.

    • Extract as much information as possible from the customer systems to increase the awareness of the real impact of a vulnerability.

    • Document all vulnerabilities immediately after finding them.

    • Report all existing vulnerabilities.

    • Notify about the installed backdoors and uninstall them after finished the project.

    • Hack as much systems as possible in the assigned time.

    • Find not evident and critical vulnerabilities.

    • Teach his/her coworkers the new hacking techniques without jealousy.

    • Make contributions to the company products.

    • Dedicate to his/her default activity when a lockout comes out (migration, product, blog articles, etc).

    • Search solutions on his/her own in a investigative manner.

    • Be willing to learn when a solution can’t be found instead of expecting someone else to solve it.

      In general, we look for dedicated persons who are willing to share their knowledge and fulfill their roles with no excuses.

  32. Can I grow professionally in Fluid Attacks?

    In order to answer this question we classify growth in 3 aspects: power, knowledge, and money.

    • The power growth is usually low, since we do not aim to grow in workforce, but to have highly competitive products, and hence the managerial positions are opened only when there are personnel retirements. However, our current CEO started as Support Engineer 10 years ago.

    • We consider the knowledge growth is high, since we control the technologies we use (not the customer), we constantly update our tools because we audit many customers and hence we must learn the current and emergent technologies in a very short time. The projects are short and the learning is constant. In the security and hacking area we have the experience and the track record to consider us the biggest Hacking company in Latin America.

    • The money growth tends to be medium, first because the salary in Fluid Attacks is not only attached to the power (non-tecnical scale) but also to the knowledge (technical scale) and hence, is common to find engineers with higher salaries than their bosses (see Question 23).

  33. Can my role evolve over time and according to

    the acquired knowledge and certifications?

    The seniority, certifications and knowledge don’t guarantee the evolution of the role. One employee can play the same role for a long time, have many certifications, learn about many new technologies and nevertheless do not improve his/her performance, or use these factors to improve the company with dedication. For this reason, none of the previously mentioned variables can guarantee the evolution of the role. As an employee, you can evolve if your performance keeps improving every trimester, if you follow the defined process and deliver the best results consistently.

  34. How does Fluid Attacks recognize a performance that exceeds the expected?

    Fluid Attacks has a simple philosophy regarding this aspect, the constant performance over the expected is rewarded through a salary re-scaling. The reward is more significant if it’s made in a extemporaneous way (before 12 months). This implies that the reward is always made in private and results in a higher standard for the future performance of te talent, and hence a new re-scaling will be more difficult to reach.

  35. If my salary is not re-scaled, am I doing something wrong?

    No. If in a yearly salary review there is no a re-scaling means that the assigned salary corresponds to the historical performance and long term alignment and is equivalent to the coworkers in the same variable range. The more time a talent spend with Fluid Attacks the more the salary converges to the possible salary ranges by all the salary re-scalings, and these in turn become less often. When a talent presents a higher salary range than his/her performance or the long term alignment is different from the company, we have a private conversation with the talent to implement an improvement plan which of not implementing in short term will result in the retirement of the talent from Fluid Attacks. If such conversation doesn’t occur, means everything is going according to the planned.

  36. What’s our technology stack?

    All our technology is on AWS, using Kubernetes for ephemeral and production environments, as well as for CI/CD agents. Our infrastructure as code is made through Terraform, Ansible and Dockerfile. We use Gitlab as a Service for these processes orchestration (git, docker registry, issues, etc). The service backends and attack weapons are developed in Python, our frontend is currently in migration to React under Typescript only with stateless components. The backend is in migration to GraphQL. All the documentation and the web page is built on AsciiDoc using a static generation strategy via Pelican. The operative systems on each workstation depend on the talent preferences, but we have a lot of Debian and security derivated such as Kali. Some renegades use Arch or NixOS. Inside AWS we use serverless services like Dynamo for databases, S3 for high speed storage and RDS for relational databases For clusters we use EKS to avoid the maintenance of complex cluster components. We use external services such as OneLogin for identity federation, Rollbar for telemetry, Slack for chatops, GitPrime for productivity analytic, Vault for ephemeral secrets management, Helm for cluster management, Launch Darkly for feature flags, Burp for web attacks, Canvas for infrastructure attacks, Nessus for preliminary vulnerability analysis, among others.

  37. What’s our development methodology?

    Fluid Attacks documents, programs and configures infrastructure through source code. This allows an extensive use of Git, a rigorous control of the changes and all rollback advantages. We follow a trunk-based development as baseline, having a unique long-term environment (production) associated to a unique branch (master). There are no other environments or feature branches. We work under a mono-repo philosophy, and therefore, we have relatively few repos. Each developer has only one branch (zero inventory) and developer branches must integrate to the master branch after a Merge Request, this means Merge Commits are not allowed. Our history is lineal and hence, a constant rebasing is imperative. There are no test analysts or quality assurance, therefore the manual tests are performed by the developer following the established evidence protocol that must contain every Merge Request. The developer is responsible for the automation tests, either unit or integration. Some products already have a test suite with over 90% coverage on their effective lines of code. Every developer is responsible of his/her changes (real Devops), of monitoring the technologies through telemetry tools (chatops) and perform rollback if necessary. We use extensively CI/CD tools on each production deployment, reaching the sum of 5.7 daily deployments. Every deployment can be made anytime, so there are not system maintenance periods, nor late night actions associated. We expect every developer to deploy at least 1 change per day, being desirable more than 1. To this end, we use the micro-changes philosophy (production deployments with less than 100 deltas) in addition to Feature Flags activation if necessary. The CI runs the linters on strict mode (breaking the build in presence of the least anomaly), this allows the applications to be easy to maintain and evolve because the code is so homogeneous that it is not known who programmed it. All the changes must pass through a Peer Review process before the integration to the master branch. This process is made by a coworker with deep knowledge of the repository (merger) and rejects approximately 30% of the Merge Requests, forcing the developer to review and resend the changes in a new Merge Request (transactions over conversations). Infrastructure is immutable, therefore the containers don’t have SSH or RDP management interfaces for modifications. This make root users obsoletes, as well as the associated key management. All of the above makes us to not use Scrum nor any derivation since we consider it obsolete for this ultra-fast development approach.

  38. What’s our long-term technological vision?

    To publish on internet all our application and infrastructure repositories. We believe that transparency in source code forces us to comply with the highest security and quality standards. This helps us to announce to the public that they can audit and review the code by themselves, shows confidence in the work done, and forces to remove any key or sensitive information stored in the code, allowing to disclosure the work of our engineers. We believe in simple architectures, even monoliths. The micro-services based on the size of our organization represent an architectural over-sizing instead of a real need. We believe in functional programming even on languages that don’t require it. For us, this is translated more in a conviction about how to code rather than a philosophical debate about tools. On this sense, we rather static typing over dynamic, even if it’s achieved using additional linters. The goal is to stick to the existing tools instead of reinventing the wheel

Service status - Terms of Use