Fluid Attacks focuses on and specializes in
Red Team testing.
In regard to information security concepts,
we take an offensive approach.
We look for all the vulnerabilities and report them as soon as possible.
Below are some Frequently Asked Questions (
new employees ask when they become part of our work team:
Fluid Attacks strives to be agile and flexible,
capable of adapting to changes at high speed.
To accomplish this goal,
we keep each work team around
50 team members.
In addition, we require generic roles and a lot of teamwork,
which allows co-workers to augment each other’s strengths
and overcome weaknesses.
Because of this, each profile is grouped in one of these roles:
technical and non-technical.
In technical roles the responsibilities are typically: hack systems, audit source code, develop attack exploits, develop tools for hackers, document found vulnerabilities, configure infrastructure as code, perform peer review, present reports to customers, share knowledge with customers and co-workers, migrate obsolete information, and create new information, among others.
In non-technical roles the responsibilities are typically:
customer management, technical pre-sales, marketing,
Fluid Attacks to other companies,
conference or seminar speakers, and crisis management, among others.
In short, the responsibilities defined for each role can be flexible, and we expect you to contribute ideas and adapt, depending on the needs of the company. We truly appreciate high technical skilled employees who, after fulfilling technical roles, can gradually migrate to non-technical roles.
Fluid Attacks we offer one type of contract:
A labor contract for an indefinite period
with all the benefits required by law,
as well as other financial contributions to healthcare,
retirement fund, allowances, layoffs,
all paid on 100% of the salary amount.
All employees have the same type of contract regardless of their role.
No, the salary offer corresponds to the gross salary.
The net salary will depend on your personal variables,
such as the amount you want to contribute to retirement funds,
and the number of dependents you declare for tax purposes, among others.
However, in the following link
you can simulate an approximated value for your net salary.
Enter the proposed salary in the first field (
In the monthly net compensation field,
you will find an approximated amount of money
which will be your monthly take-home pay.
This is your approximate net salary
which will be deposited into your account.
See the answer to the question above. In addition to the personal variables that you control which impact your net salary, there are also salary deductions required by law which support governmental programs. These deductions are determined by the government, and cannot be modified by the employer or the employee.
Fluid Attacks withholds from your paycheck
all deductions and forwards them to the appropriate agencies
EPS, retirement funds, compensation funds, etc.).
Your net salary is, therefore,
the money that is directly deposited into your bank account.
No. Each salary offer is carefully assessed
by a hiring committee of
Fluid Attacks upper-level managers.
Each offer is based on salaries for comparable positions
Fluid Attacks and is aligned
Fluid Attacks employees
at the same performance and productivity level.
Fluid Attacks also takes into consideration
the compensation offered by other companies,
including those in different business sectors, for comparable positions.
For this reason, the salary offer you receive
represents our best and only offer.
As an employee’s productivity, performance, knowledge,
and responsibilities increase opportunities exist
to increase their salary as well.
No, we don’t. We believe using a variable salary causes more problems than it solves.
Because we focus all our efforts
on ensuring our employees receive a competitive and lucrative salary,
we do not offer benefits that could reduce your upfront salary,
such as gym memberships, prepaid healthcare,
bonuses or food allowances, etc.
Our commitment is to offer you a salary
that values your knowledge, skills, and abilities;
what you choose to do with that salary is then up to you.
In addition, our contribution to your retirement funds
is based on
100% of your salary,
which means your retirement savings
grow at their maximum level without being decreased
by other benefits you may not want or use.
With time and money:
In time: The time you put into training, on workdays or weekends, can be reported and is then subject to compensation.
In money: Fluid Attacks pays for the professional certification tests you take which enhance your value as an employee.
No. It’s a professional development option
Fluid Attacks offers to its employees.
However, training for and receiving professional certifications
can only enhance an employee’s ability
to take on new roles and responsibilities,
as needed, within
It is not negotiable.
All the certifications sponsored by
follow the same funding model.
However, this model allows certain variations.
For example, an employee can decide
to not pursue a professional certificate
or to pay for the certifications or the materials themselves,
in which case the funding is not required.
It is also possible to quit before the
48 months time period
and the funding will then be proportional.
Finally, any professional certification,
along with the knowledge acquired,
is a skill the employee takes with them
when or if they leave the organization.
Nothing happens if you do not pass the certification test
unless you are not willing to keep trying.
Fluid Attacks values the results of a test,
we also highly value the experience and knowledge
you gain by going through the process;
this is why there is no salary adjustment
when you obtain certification nor when you fail to obtain it.
Fluid Attacks may sponsor your retests indefinitely,
as long as there is evidence,
as reflected in your training time reports,
of your continued effort to gain certification.
We have people who have taken the same certification test multiple times,
always with the sponsorship of
Finally, if you don’t pass and don’t want to keep trying to pass,
there would be a monthly salary deduction
during the following
and in case of your resigning your position,
this amount will be subtracted from the settlement pending balance.
The exact value is determined at the time of purchase
because it varies depending on the certification,
the components you want to cover (test or official material),
price variations on the vendor’s side, etc.
For reference purposes,
certifications cost between
Every talent should agree with their direct leader
the personal reference schedules of
48 hours per week
from Monday to Friday, starting at
This reference schedule must intersect
of our customers schedules (
However, this schedule is a reference,
you must take into account the timing of your duties,
notifying in due time without asking permissions
about the exceptions on your reference schedule.
This grants you autonomy and freedom
without paperwork when your role and compromises allow it.
There are zero tolerance on failures to comply deadlines
or third party meetings either with customers or coworkers.
In the framework of the previous answer, yes.
We use an automated time report system called
TimeDoctor tracks activities in real-time,
without any additional input from the employee.
This system logs all the activities
performed by an employee while they are working.
It can also be disabled when an employee is not working
and needs to perform personal activities.
There is no expected total working timeshare.
In exceptional cases when an employee exceeds
48 hours per week,
the organization adjusts assignments
and grants compensatory days as soon as possible.
why doesn’t the reported pay reflect 48 hours/week?
The reference schedule only defines
the work availability expectation for an employee.
We understand that each person has a different work pace
which may vary from week to week,
for this reason, expecting a rigid
every week is unrealistic.
It depends on whether you are working at a
Fluid Attacks' facility
or onsite at the client’s facility:
When working at a
Fluid Attacks facility there is no dress code.
We suggest you dress comfortably in business casual attire.
When working at a client’s facility we expect you to comply with the client company’s dress code.
Fluid Attacks does not ask you to work nights or weekends,
however, it may happen from time to time.
In a worst-case scenario,
in a year we may ask you to work
4 weekends and
This does not include situations
where you may have to work weekends or nights
in order to meet a client company’s project deadline
or meet your work commitment.
Employees work either at
Fluid Attacks facilities
or at our client company’s facilities.
See the answer to question 20 above.
Fluid Attacks does not allow telecommuting.
Work must be done on-site.
However, exceptions can be made allowing telecommuting
in extreme and extraordinary cases.
Fluid Attacks, you can schedule vacations
even if you haven’t yet finished your work probationary period.
Vacations must be requested with a minimum of
30 calendar days
advance notice and for a minimum of
5 days including weekends.
When we receive your vacation request it is placed,
along with vacation requests from other employees,
in the order in which we received it.
Therefore, those who have requested vacation time before you,
will be granted vacation time, also before you.
If you have an exceptional event that you have to attend,
you don’t need to request vacation time, just notify your supervisor.
Salary reviews are done under
3 possible circumstances.
The first circumstance is the yearly review.
The yearly review is mandatory, is initiated by
and occurs after an employee has worked for
12 months with the same salary.
The second circumstance is the extemporaneous review.
Extemporaneous reviews are optional,
are also initiated by
and occur before an employee has worked for
12 months with the same salary.
The third circumstance is the requested review.
Requested reviews are initiated by, and at, the employee’s request.
A salary review can result in a determination that your current salary is appropriate and hence, the salary is not changed, or it may be slightly adjusted regarding the legal minimum wage of the previous year. A salary review can also result in re-scaling, which means your current salary would be adjusted to a higher scale.
Your salary is determined by 3 factors: historical performance, long-term alignment, and group payment capacity.
Historical performance, within the framework of
Fluid Attacks' values
and processes, is represented as a constant value generation.
Long-term alignment indicates that your career goals
are completely aligned with the needs of our company.
Therefore, your long-term career plan
can be fully realized through your work with
Group payment capacity is an external factor
which defines the ability of
to fulfill commitments on a long-term basis.
Your salary is not affected by factors
such as your academic achievement, professional certifications,
seniority, work experience inside or outside
professional position within
Fluid Attacks' hierarchy,
previous salaries you may have received in different companies,
or your current salary expectations.
See the question above for the factors that determine salaries.
This means that there could be hackers or programmers
with higher salaries than their bosses,
and people with basic education earning more
than people with masters degrees.
Attaining professional certifications
does not necessarily increase your salary.
Salaries are only increased if historic performance
and long-term alignment are improved as a result of the new certifications,
and therefore, result in an increase in the employee’s knowledge and skills,
Fluid Attacks can afford such an increase in the long term.
For a new employee who has never previously worked for Fluid Attacks, historic performance and long-term alignment is defined by the new employee’s selection process. This is why the selection process is strict and rigorous. However, there can be two possible failures within this system. One is an underestimation of the new employee’s skills, abilities, and knowledge in which case we would perform an extemporaneous salary review. The other is an overestimation of skills, abilities, and knowledge which would result only in an inflation adjustment in a yearly salary review.
See question 23.
Fluid Attacks salaries range from $1.4M COP to $14M COP.
These values follow an exponential distribution,
meaning there are more people in the lower salary range
and fewer people in the higher salary range.
At Fluid Attacks, we have three unchanging, non-negotiable values:
HONESTY: We expect new employees to strictly abide by our ethics code,
to follow our working philosophy,
to always speak the truth using defined channels and in a respectful manner.
We expect all employees,
regardless of how long they have worked for Fluid Attacks,
will exercise maximum security in safeguarding
our company’s and customer’s confidential information.
In addition, our expectation is that employees
will use their hacking knowledge in a responsible manner.
Do not hack without authorization, even outside
TEAMWORK: We expect new employees to help their coworkers, whether team-players or team-leaders, in tasks the new employee may not like but the work requires. We expect new employees to work in a dedicated and focused manner on all assigned projects. We prefer projects to be finished early, but not at the expense of sacrificing work quality.
DISCIPLINE: We expect new employees to self-manage
without constant supervision,
to meet all deadlines without excuses,
to arrive on time for all commitments and meetings
with customers and coworkers,
to send deliverables with zero adjustments,
to work on the issues of the client’s company with effort and integrity,
and to actively innovate and start to improve
our client’s company and
+ Finally, we expect that all three unchanging, non-negotiable values will always be practiced and that over time will be used effortlessly, consistently and with effectiveness.
Our motto says, "Find all vulnerabilities and report them as soon as possible." To meet this expectation a new employee must:
Program in innovative and functional ways.
Generate daily value in production deployments.
Search for ways to make things work. Do not make excuses to avoid doing them.
Hack the customer’s systems without being detected.
Extract as much information as possible from every customer’s system to help them understand the real impact of a vulnerability.
Document all vulnerabilities immediately after finding them.
Report all existing vulnerabilities.
Notify customers about installed backdoors, and uninstall them after finishing the project.
Hack as many systems as possible in the assigned time.
Find critical vulnerabilities including those that may not be obvious.
Share with and willingly teach coworkers any new hacking techniques.
Make meaningful contributions to Fluid Attacks' products.
Focus on your default activity when a lockout comes out (migration, product, blog articles, etc).
Search for solutions independently.
Be willing to learn, improvise, and create when a solution is not easily found. Ask for help if you need it, but do not simply expect someone else to solve it.
In general, we look for dedicated persons who are willing to share their knowledge and fulfill their roles with no excuses.
Fluid Attacks we classify growth in 3 different areas:
authority, knowledge, and money.
Growth in authority is usually low
since we do not intentionally try to grow our workforce
but to have highly competitive products instead.
Therefore, our managerial positions are open
only when someone leaves a position
or when there are personnel retirements.
CEO started as a Support Engineer 10 years ago.
Growth in knowledge is high since we, not the customer, control the technologies we use. We constantly update our tools because we audit many customers and, therefore, we must learn the most current and emergent technologies within a very short timeframe. The projects are short and the learning is constant. In the security and hacking area, we have the experience and the track record to be considered the largest hacking company in Latin America.
Growth in money tends to be in the midrange
because salaries at
Fluid Attacks are not only attached
to the growth in authority (non-technical scale)
but also to the growth in knowledge (technical scale).
This is why it is common to find engineers
with higher salaries than their bosses (see question 23).
with my acquired knowledge and certifications?
Seniority, certifications, and knowledge
do not guarantee the evolution of your role.
An employee may occupy the same role for a long time,
have many certifications, learn many new technologies,
and still not improve their performance,
or use these factors to improve
For this reason, none of the previously mentioned variables
can guarantee the evolution of the role.
As an employee, you can evolve if your performance keeps improving
every trimester, if you follow the defined process,
and if you consistently deliver high-quality results.
Fluid Attacks has a simple philosophy.
If you consistently perform over the expected,
you are rewarded through a salary re-scaling.
The reward is more significant if it’s made within the first
The reward is always made in private
and results in a higher standard
for the future performance of the employee,
and hence another re-scaling will be more difficult to obtain.
No. If in a yearly salary review there is no salary re-scaling
it means that the assigned salary corresponds
to the historical performance and long-term alignment of
and is equivalent to our other employees
within the same variable salary range.
The more time an employee spends with
the farther their salary moves into the salary range
of the employees within that particular salary re-scaling group.
These re-scalings, in turn, become less often.
If an employee achieves a higher salary range,
but their performance or long-term alignment
is less than that expected by
a private conversation and an improvement plan will be initiated.
The requirements of the improvement plan
must be met within a stated time-frame
or the employee risks termination of employment.
All our technology is on
Kubernetes for ephemeral and production environments,
as well as for
Our infrastructure as code is made through
Gitlab as a Service
for these processes' orchestration
backends and attack weapons
are developed in
frontend is currently in migration to
only with stateless components.
backend is in migration to
All the documentation and the web page is built on
using a static generation strategy via
The operative systems on each workstation
depend on the employee’s preferences,
but we have a lot of
and security derivated such as
Some renegades use
AWS we use serverless services
Dynamo for databases,
S3 for high speed storage
RDS for relational databases.
clusters we use
to avoid the maintenance of complex cluster components.
We use external services such as
Okta for identity federation,
Rollbar for telemetry,
Rocket Chat for chatops,
Pluralsight for productivity analytic,
Mozilla SOPS for secrets management,
Helm for cluster management,
Launch Darkly for feature flags,
Burp for web attacks,
Canvas for infrastructure attacks,
Nessus for preliminary vulnerability analysis,
Fluid Attacks documents,
programs and configures infrastructure through source code.
This allows an extensive use of
a rigorous control of the changes and all
We follow a
trunk-based development as baseline,
having a unique long-term environment (production)
associated with a unique branch (
There are no other environments or feature branches.
We work under a
and therefore, we have relatively few repos.
Each developer has only one branch (zero inventory)
and developer branches must integrate to the master branch
Merge Commits are not allowed.
Our history is lineal and hence, a constant rebasing is imperative.
There are no test analysts or quality assurance,
therefore the manual tests are performed by the developer
following the established evidence protocol
that must contain every
The developer is responsible for the automation tests,
whether unit or integration.
Some products already have a test suite
90% coverage on their effective lines of code.
Every developer is responsible for their changes (real
for monitoring the technologies through telemetry tools (
and to perform
rollback if necessary.
CI/CD tools extensively on each production deployment,
reaching the sum of 5.7 daily deployments.
Every deployment can be made anytime,
so there are not system maintenance periods,
nor late-night actions associated.
We expect every developer to deploy at least
1 change per day,
with it being desirable that they deploy more than
To this end, we use the
(production deployments with less than
in addition to Feature Flags activation if necessary.
CI runs the linters in strict mode
(breaking the build in the presence of the least anomaly),
this allows the applications to be easy to maintain and evolve
because the code is so homogeneous
that it is not known who programmed it.
All the changes must pass through a
Peer Review process
before the integration to the master branch.
This process is made by a coworker
with deep knowledge of the repository (merger)
and who rejects approximately
30% of the
forcing the developer to review and resend the changes
in a new
Merge Request (transactions over conversations).
Infrastructure is immutable,
therefore the containers don’t have
management interfaces for modifications.
This makes root users obsolete,
as well as the associated key management.
All of the above means we do not use
nor any derivation since we consider it obsolete
for this ultra-fast development approach.
Our long-term technological vision is to publish, on the internet, all our application and infrastructure repositories. We believe that transparency in source code forces us to comply with the highest security and quality standards. This helps us convey to the public that they are capable of auditing and reviewing code themselves, helps them build confidence in the work done, and forces us to remove any key or sensitive information stored in the code, thus allowing us to disclose the work done by our engineers. We believe in simple architectures, even monoliths. The micro-services based on the size of our organization represent an architectural over-sizing instead of a real need. We believe in functional programming even in languages that don’t require it. For us, this reveals more about our conviction regarding how to code rather than a philosophical debate about tools. In this sense, we prefer static typing over dynamic, even if it’s achieved using additional linters. The goal is to stick to existing tools instead of reinventing the wheel.