We work every day with regulated clients (banking, healthcare, public administration, industry, energy, higher education, retail and B2B SaaS) under our own frameworks: ENS HIGH category, ISO 27001 and four further audited ISOs. We have our own products and an in-house R&D programme on defensive AI recognised as a Spanish Innovative SME. If you're after a demanding technical team, no fluff and room to grow in depth, this is the place.
We practise what we preach ENS HIGH category + 5 in-house ISO certifications We operate under the frameworks we recommend Operational HQ
Leganés Technology Park (Madrid)
Registered office
Las Rozas (Madrid)
Common areas
SOC · DFIR · GRC · Pentest · R&D · Systems
Why Hard2bit is a good place to grow technically
Hard2bit holds ENS HIGH category certification (RD 311/2022) and ISO/IEC 27001:2022, with five in-house ISO certifications (27001, 22301, 20000-1, 9001, 14001) and the Spanish Innovative SME seal. That means the team works inside an actually audited management system, with clear rules, evidence and continuous improvement. It's exactly what we recommend to our clients.
Areas where we usually hire
We're always interested in people with a good attitude, curiosity and a clear willingness to contribute. Beyond whichever positions are open at any given moment, if you bring those three ingredients and your profile fits one of the areas below, send a spontaneous application: we review it whenever a process opens and reach out when there's a match.
Tier 1, 2 and 3 security analysts, detection engineers, threat hunters and triage specialists. The SOC operates 24/7 for regulated clients (financial services, healthcare, public administration, industry) under criticality-based SLAs.
Learn more about this area →Incident responders and digital forensics analysts for our 24/7 retainer, chain-of-custody work and support during disciplinary, regulatory or judicial proceedings. Incidents in critical sectors don't wait for office hours.
Learn more about this area →Compliance consultants implementing and maintaining ENS, ISO 27001, NIS2, DORA, GDPR and sector-specific frameworks (ISO 27019, IEC 62443, PCI DSS). We work with real auditors and supervisors, not on slide decks.
Learn more about this area →Web, infrastructure, cloud and identity penetration testers. Red team operators with TIBER-EU expertise for financial-services clients under DORA. Open to OSCP, OSWE, CRTO, BSCP holders or candidates with equivalent verifiable experience.
Learn more about this area →Developers (Python, TypeScript, full-stack), ML engineers applied to cybersecurity and compliance, MLOps and measurable prototyping. We work on our own products: NormexAI (AI applied to compliance and governance) and CortexShield. Recognised as Spanish Innovative SME.
Learn more about this area →Sysops, platform engineering and systems administration for the managed services we deliver. Without solid sysops there is no SOC and no defensible compliance.
Learn more about this area →Consultative profiles with real technical knowledge to support regulated clients from discovery to contract, including responses to public-sector tenders and enterprise due diligence. This is not transactional sales.
Learn more about this area →What we offer
We talk straight: no overhyped perks and no empty slogans. What we can guarantee is a demanding technical environment, genuinely certified frameworks and projects with real clients who reach us because the operation actually delivers.
Colleagues who know what they're talking about. No vapourware, no slide decks promising what operations later can't sustain. Technical discussion is part of the daily routine, not an exception.
Hard2bit holds ENS HIGH category certification (cert. ENS_2.026.061), ISO/IEC 27001:2022, ISO 22301, ISO 20000-1, ISO 9001 and ISO 14001. We operate under the same frameworks we recommend to our clients. Not theory — our day-to-day reality.
We have our own products (NormexAI and CortexShield) and an in-house R&D programme on defensive AI. Recognised as a Spanish Innovative SME. If you're interested in the intersection of applied research and product, there's room for that profile.
Operational headquarters at Leganés Technology Park (Avenida Juan Caramuel, 1) and registered office in Las Rozas. We work in a hybrid mode: combining on-site presence and remote work depending on the role and project phase.
We support continuous learning and the technical and management certifications relevant to each role. Cybersecurity moves fast and staying up to date is part of the job, not something done at weekends.
We work with clients in regulated sectors: banking and financial servicing, insurance, public and private healthcare, the Spanish public sector, industry and manufacturing, energy and higher education. Projects demand rigour and deliverables are measured.
Team culture
Four principles we actually apply — not a decorative plaque in the lobby.
If a vulnerability is critical, we say it's critical. If a control won't survive an audit, we say so. If we don't know something, we say it. Credibility in front of a regulated client is built on truth, not on glossy materials.
Most of the work is recurring: SOC/MDR, vulnerability management, vCISO, 24/7 retainers. That means stability, technical depth with each client and very little artificial churn between short projects.
We're not a mass consultancy. Teams are small, technical decisions are made close to the work, and authority is earned by demonstrating judgement — not through seniority or hierarchy.
Services are delivered with SLAs, KRIs and auditable evidence. What we commit to is measured and reported. That requires discipline, but it also protects the team: expectations are clear from day one.
Hiring process
A short, transparent process designed not to waste anyone's time. Specific steps may vary by role, but the overall shape is the same.
Email info@hard2bit.com with your CV (and portfolio or GitHub if relevant to the role) and a few lines explaining which area interests you and why Hard2bit. You can also use our contact form with the "Careers" reason selected.
A first video call with the lead of the area you applied to. We discuss your background, what you're looking for, what we offer and clear the obvious questions before either side invests more time.
A short, focused exercise that mirrors what you'd actually do in the role. For technical roles, closed practical cases with a reasonable time box. For consulting roles, client scenarios. No traps and no "let's see if you give up" exercises.
A conversation with two or three team members: we go through the exercise, dig into the technical aspects of the role and discuss how your work would fit with the wider operation. It's a two-way street — we also answer hard questions about how we work.
If there's a fit, a concrete proposal with conditions, area, location and onboarding plan. Onboarding is designed so new joiners understand the frameworks (ENS, ISOs), the tooling and the processes before making operational decisions.
Frequently asked questions
The questions we hear most often during selection processes, answered with the same straightforwardness we'd use in an initial conversation.
The catalogue of live vacancies changes often and is not always published here. If your profile fits one of the areas listed, send a spontaneous application: we keep it on file and review it when a process opens. If a suitable opening is already running, we'll get back to you within a few days.
No. We work hybrid from Madrid. The exact split depends on the role and the project, but most positions combine office time (Leganés) with remote work. For some very specific roles we can consider greater geographic flexibility, but this is not the default.
Yes, especially in SOC, GRC and software development. Attitude and technical judgement weigh as much as years of experience. For junior profiles we value personal projects, CTF challenges, open-source contributions or, in GRC, specific training paths.
It depends on the area. In offensive security, OSCP, OSWE, CRTO, BSCP or equivalents. In defence and SOC, GIAC, Microsoft SC, vendor-specific EDR/SIEM certifications. In GRC, ISO 27001 LA/LI, ENS, NIS2 lead implementer and similar. In development and AI we don't require a specific certification — what counts is the code.
On the development side, yes: Python and TypeScript are common, with modern stacks depending on the product. In managed-services operations we coexist with the full real-world spectrum of regulated Spanish clients: Microsoft 365 and Entra ID, on-prem and cloud infrastructure (Azure, AWS, GCP), Linux and Windows environments, and SIEM/EDR tooling from multiple vendors.
We run an in-house R&D programme focused on applying artificial intelligence where it brings real value (governance, compliance, detection, auditable automation) and on honestly evaluating commercially available AI. The output materialises in our own products: NormexAI (compliance and governance) and CortexShield. Internal stance: if it can't be audited, it shouldn't be automated.
Compensation is calibrated to the role, the verifiable experience and the criticality of the position, in line with the Spanish cybersecurity market for mid and senior levels. The exact figure is discussed in the initial conversation, before the technical exercise, so neither side wastes time.
We process it under Hard2bit's Privacy Policy and keep it only as long as necessary to evaluate the application and, with your express consent, for future processes. You can exercise your data rights at any time by emailing info@hard2bit.com.
Let's talk
If your profile fits one of the areas above, send your CV with a few lines about what you're looking for and why Hard2bit. If we have a process running that matches, we'll get back to you within a few days; if not, we'll keep your application on file with your express consent for future processes.
Page reviewed: 2026-04-29. Hard2bit · Cybersecurity company in Spain since 2013 · Operational HQ: Leganés Technology Park (Madrid) · Registered office: Las Rozas (Madrid).
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
