Join a small, deep engineering practice — not a consultancy.
Yinkozi hires senior security engineers to do the hardest work in cybersecurity for tier-1 customers — banks, payment providers, government bodies, energy operators. Multi-year relationships, real engineering depth, no body-shop pentest model.
Senior engineers who want to do real work.
We hire deliberately. The team is small. Every hire holds context for serious customers, ships custom tooling, and stays in the work for years. We are not for someone looking for entry-level pentest experience.
Five to fifteen years of practical security work. Equally comfortable reading C as auditing IAM policies. Has shipped tooling, not just findings.
Firmware extraction, fault injection, side-channel analysis, secure-element evaluation. The work that has graduated into our hardware lab.
iOS and Android binary analysis, custom Frida instrumentation, anti-tamper bypass research. Real-device fleet experience.
Multi-cloud IAM-graph reasoning. AWS / Azure / GCP at organisation scale. Comfortable building custom analyzers, not running SaaS dashboards.
Prompt-injection research, agentic-system attack patterns, model-integrity work. Thinking about LLMs as systems, not as oracles.
People who can build a security toolchain end-to-end for an organisation that cannot use commercial SaaS. Sovereign-deployment patterns.
What it is like inside the firm.
Most of what we work on is the same customer for years. The methodology compounds. The instrumentation we built last quarter still works this one.
We do not run the body-shop pentest model. People are not chargeable units. Quality of work is the lever — not utilisation rate.
We are deliberately small for the work we take on. Each engineer holds context for one or two customers, not eight.
Real PLCs, real terminals, real low-end Android phones, real signed firmware. We test against the conditions our customers actually face.
We build internal tooling, including local LLM-based helpers. Customer material never leaves the engagement boundary.
Cape Town and Dubai are operating offices. The team beyond that is distributed across Africa, Europe, and the Middle East. Async-friendly, occasional travel for sensitive on-site work.
The shape of the firm we are not.
We do not run an entry-level pentest line. Junior engineers do not get billed out as senior consultants. We are not the right place to learn the field from scratch — we are the place to do the deep work after you have learned it elsewhere.
We do not run a utilisation-driven model. Engineer hours are not the unit we sell — quality of work is. Senior people are expected to spend time on tooling, research, and methodology between engagements.
We do not have an "AI-driven offering" we need staff to operate. We use local LLMs as internal tooling, never as a substitute for an engineer.
How to reach us.
We hire continuously, deliberately, and only when the right person appears for a real engagement need. We do not maintain a public job-board.
If you have built systems, found bugs, shipped tooling, and your work is verifiable — write to us. Include public artefacts where you have them: CVEs, conference talks, open-source tools, advisories, papers. The application process starts with a conversation.
email