Ethical Hacker

How do you make our customers happy?

You patch vulnerabilities before the bad guys find them. As an Ethical Hacker, you probe every corner of bol’s digital landscape to identify and eliminate potentially exploitable weaknesses. Your offensive security work directly protects 13.7 million customers and 47,000 partners by ensuring real attackers never have a chance. Professional paranoia with a purpose: you assume everything can be hacked, then prove or disprove that assumption systematically.

The biggest challenge

Risk prioritization in a fast-moving environment. You can’t test everything simultaneously, so which system deserves your attention first? The new checkout flow handling millions in daily revenue, or the internal tooling that could expose employee data? How do you balance thorough penetration testing with the reality that product teams need to ship new features? You make these judgment calls, fully cognizant of the impact of false alarms and missed threats.

What You'll Do As Ethical Hacker

You’re joining the Security Operations team – a purple squad where red team offense and blue team defense collaborate to ensure bulletproof platform protection. The team includes six security specialists: you, a fellow ethical hacker, and five security engineers focused on the defensive side. Together, you secure bol’s entire technology landscape, from customer apps to our cloud infrastructure and warehouse conveyor belt control systems.

Responsibilities

As an Ethical Hacker, you’re the offensive specialist. You conduct penetration tests, both at the request of product teams and on your own initiative, prioritizing based on risk levels rather than political pressure. High-risk environments are at the top of the list; low-risk systems can wait their turn. Beyond active testing, you participate in ‘break stuff on paper’ sessions where teams proffer technical designs for you to rip to shreds before a single line of code gets written. You perform vulnerability assessments across applications, systems, and networks, and help product teams with threat modeling to assess risks inherent in their solutions. The Security Operations team also owns incident management, maintaining visibility into bol’s overall security posture and running company-wide security awareness initiatives. When a security alert triggers, you’re expected to step up. Key responsibilities:

• Pentest web applications, cloud infrastructure, and on-premise networks
• Perform quick security assessments and in-depth vulnerability analysis, choosing the right approach for each situation
• Review technical designs and facilitate threat modeling sessions with product teams
• Demonstrate attack vectors and help engineering teams understand exploitation techniques
• Maintain awareness of emerging threats and adapt your methodology accordingly
• Communicate findings clearly to both technical and non-technical stakeholders
• Serve as the go-to security resource when software engineers have questions
  
  

Why you can make a difference

You combine proven ethical hacking experience across diverse technologies with the rare ability to explain security risks without making people defensive. Your technical depth spans internet-facing web applications, cloud-native environments (ideally GCP with Kubernetes), and traditional infrastructures. You’re equally comfortable conducting rapid security checks as you are diving into week-long penetration tests, knowing instinctively which approach fits which scenario.

Your experience in engineering-driven environments where open-source tooling dominates means you understand bol’s build-it-ourselves culture. We leverage existing libraries and frameworks, but most of our solutions are homegrown. Familiarity with our stack (Linux, Tomcat, Java, Spring microservices) is valuable, but more important is your ability to spot what others miss: that overlooked edge case, that subtle flaw, that chained exploit nobody considered. You’re a self-starter who organizes work effectively (Jira, Kanban, Scrum – whatever gets the job done) and views being ‘always available’ as an opportunity to prevent issues, not a burden.

3 reasons why this is (not) for you Switch to find out

• - Compliance checkbox ticker You prefer running quarterly penetration tests to continuously probing new attack surfaces
• - Lonesome white hat You want to find vulnerabilities, file them dramatically, and ride off into the sunset without helping teams understand or remediate them
• - Defensive purist You believe security should shut down hint of risk, even if that means we never release a new feature
• + Professional vulnerability hunter You get genuine satisfaction from discovering security flaws before attackers do, and even more from helping teams fix them
• + Talented translator You can switch seamlessly between demonstrating exploit chains to engineers and explaining business risk to non-technical stakeholders
• + Collaborative breaker You see security teams and product teams as allies with shared goals, not adversaries in an eternal struggle
  
  

Where you'll work

You’ll join our Security Operations team at bol’s Utrecht headquarters, working alongside a fellow ethical hacker and five security engineers who handle defensive systems and incident response. The atmosphere is pragmatic and tech-driven: we love what we do, welcome new ideas, and treat everyone as equals regardless of tenure. We are passionate about security, so expect strong opinions easily dislodged by facts and healthy debates about the best approaches. Our security landscape constantly evolves – there’s always something new demanding attention, which means there’s never a dull moment. We challenge ourselves and each other to find optimal solutions, not perfect ones. Ready to professionally break things before the bad guys do?

We take pride in our B Corp certification and strive for continuous improvement every day. Our annual bonus is tied to sustainability goals, and we are committed to equality and equal opportunities for all.