Application Security (AppSec) в IT — рынок СНГ и Европы

Медиана AppSec — $10833/мес по данным Zorky CRM (94 активных вакансий — растущий segment за счёт shift-left mindset + supply chain attacks pressure). Premium-сегмент за счёт rare-skill combination (programming depth в нескольких языках + security expertise + threat modelling). Senior с production SAST / DAST integration + threat modelling lead + bug bounty triage — $7000-10500. Senior в банках РФ + Russian security vendors (Positive Technologies / BI.ZONE / Касперский) — $7000-10500. Аутсорсеры (EPAM Security Practice / Luxoft AppSec) — $7500-12000 Senior на US-проектах. Международные tech-companies (Snyk + Veracode + Checkmarx + Synopsys + HackerOne + Bugcrowd + Intigriti) — full-remote $9000-15000+ Senior. Big Tech Product Security (Meta Product Security / Google Bug Hunters team / Apple Security / Microsoft Security Response Center MSRC / Amazon Application Security) — $14000-22000+ Senior + RSU. Премиум-доплаты: OSCP / OSWE (Offensive Security Web Expert — premium для AppSec) +15-25%, GIAC GWAPT +10-15%, published security research / CVEs +20-40%, programming depth в multiple languages +10-20%.

Junior — typical entry: 1) Backend Senior + interest в security (programming depth уже есть, нужны security techniques), 2) Security Engineer Middle + interest в code-deep work, 3) Bug bounty hunter с track record (HackerOne reputation / private programs experience) → in-house AppSec. Скачок Junior → Middle — после первого end-to-end secure SDLC integration (SAST + SCA + threat model done для one product) + первого high-severity finding triage. Middle → Senior — multi-product AppSec ownership + bug bounty program management + AppSec metrics ownership (typical mandate: reduce mean-time-to-remediate Critical findings to <7d). Senior → Staff / Principal / AppSec Architect — org-wide secure design patterns + security reference architectures + product security training development. Career-flow: Backend Senior (3-5 лет) + interest → AppSec Junior (1-2 года) → Middle (2-3 года) → Senior → либо AppSec Architect, либо Bug Bounty / Security Researcher, либо API Security specialist, либо CISO Product Security track, либо external security consultancy (Mandiant / Group-IB / BI.ZONE).

Москва Senior AppSec Engineer — $6500-10000/мес (банки доминируют — Сбер.Tech / Тинькофф / ВТБ / Газпромбанк / Альфа / Райффайзен имеют AppSec teams + Russian security vendors — Positive Technologies (PT Application Inspector — крупнейший Russian SAST vendor), Лаборатория Касперского (Kaspersky Container Security + Threat Attribution), BI.ZONE, InfoWatch, Solar; Wallarm (Russian-origin API Security + WAF — global presence); ScanFactory (Russian SCA); Яндекс (internal AppSec + Yandex Cloud Security); Ozon / VK / Wildberries / X5 Group / МТС Product Security teams). СПб $6000-9500 (JetBrains Security). Минск/Киев $5500-9000 Senior. Польша €7000-11000 gross Senior. Германия €80-120K/год Senior. 57.1% — удалёнка. Аутсорсеры (EPAM Security Practice / Luxoft Security / Andersen Security / DataArt Security) — почти всегда remote, $7500-12000 Senior на US AppSec-projects. Международные tech-companies (Snyk / Veracode / Checkmarx / Synopsys / GitHub Advanced Security / HackerOne / Bugcrowd / Contrast Security) — full-remote $9000-15000+ Senior. Big Tech Product Security: Meta Product Security (известна щедрыми bug bounty + AppSec Engineer salaries), Google Bug Hunters team, Apple Security, Microsoft Security Response Center (MSRC), Amazon AppSec — $14000-22000+ Senior + RSU.

Топ-5: go, databricks, kubernetes, typescript, python. SAST mastery: Semgrep mastery (rising 2026 — fast + custom rules в YAML + community rule packs — leader для new projects), SonarQube / SonarCloud (mature — code quality + security hybrid), CodeQL (GitHub Advanced Security — best для GitHub-native shops, semantic query language), Checkmarx + Veracode + Synopsys Coverity (enterprise). Russian: Positive Technologies PT Application Inspector. DAST mastery: OWASP ZAP (free standard — automation-friendly через ZAP API / Docker), Burp Suite Professional (PortSwigger — industry standard для manual pentesting + Burp Collaborator для blind vulnerabilities + Burp Extensions), Acunetix, StackHawk (modern DAST в CI), Detectify, Bright Security. SCA mastery: Snyk доминирует 2026 (best UX + IDE plugins + auto-PR fixes), Dependabot (GitHub free baseline), Renovate (advanced — better для monorepos), Sonatype Nexus IQ, FOSSA (license compliance), JFrog Xray. IAST: Contrast Security (leader — runtime instrumentation, agent-based), HCL AppScan, Veracode IAST. API Security (rising 2024+): Salt Security (API discovery + posture leader), Noname Security, 42Crunch (OpenAPI-first — best для design-first approach), Traceable, Wallarm (Russian-origin + global), Cequence. OWASP API Security Top 10 framework knowledge. Threat Modelling tools: Microsoft Threat Modeling Tool (free desktop), OWASP Threat Dragon (open-source), IriusRisk (enterprise automation), Tutamen. STRIDE methodology (Microsoft — Spoofing / Tampering / Repudiation / Information Disclosure / Denial of Service / Elevation of Privilege) + PASTA (process-driven 7 stages) + LINDDUN (privacy-focused) + Attack Trees. Bug Bounty platforms: HackerOne (largest), Bugcrowd, Intigriti (European leader), YesWeHack (French), Synack (vetted premium). Russian: Standoff Bug Bounty (PT — крупнейший в РФ), Bug Bounty Russia. Secure code review tools: GitHub Advanced Security (Code Scanning + Secret Scanning + Dependabot bundle), GitLab Ultimate Security features. RASP: Contrast Protect, Imperva RASP, Signal Sciences. WAF: Cloudflare WAF (доминирует 2026), AWS WAF, Imperva, Fortinet FortiWeb, F5 Advanced WAF, Akamai App & API Protector. Russian: Wallarm + Kaspersky DDoS + Qrator. Crypto review tools: testssl.sh + Qualys SSL Labs + cryptosense. Auth / Authz: OAuth 2.1 + OIDC + SAML deep, JWT pitfalls deep (alg=none + key confusion + signature stripping + expired tokens), session management, OWASP ASVS. Language-specific vulnerability knowledge: Java (Log4Shell + JNDI + deserialization), .NET (BinaryFormatter + ViewState), Python (pickle + YAML + subprocess injection), JavaScript / TypeScript (prototype pollution + XSS context-aware encoding + npm supply chain), Go (path traversal + SSRF + TOCTOU), Rust (unsafe blocks audit), C / C++ (memory safety vulnerabilities). Languages для tooling: Python primary, JS / TS, plus reading-knowledge всех target languages.

Security Engineer (general) — broad coverage всех security-domains. Focus: SIEM operations + vulnerability mgmt + identity + network + compliance. См. Security Engineer (general). Зарплаты $4500-9500. DevSecOps Engineer — focus на security в CI/CD pipelines + IaC security + container runtime + supply chain integrity. Infrastructure-side. Programming-heavy для automation. См. DevSecOps. Зарплаты $5500-10000. AppSec Engineer (эта страница) — focus на product code security: SAST findings triage, threat modelling for features, security code review, secure design patterns, bug bounty triage, security training for developers, API security. Code-side (vs infra-side). Programming-deeper за счёт multiple languages requirement. Зарплаты $5500-10000. Pentester / Ethical Hacker — focus на offensive — break things, find vulnerabilities through active exploitation. См. Penetration Tester / Red Team. Часто consultancy-based или в bug bounty. Зарплаты $5000-10000 + bug bounty payouts. Reality 2026 (overlap heatmap): AppSec ↔ DevSecOps: 50% (both использует SAST/SCA, но focus different). AppSec ↔ Pentester: 40% (both think offensively, но Pentester active exploitation + AppSec preventive). AppSec ↔ Security Engineer: 30% (AppSec deep на одном domain, Security Engineer breadth). Career-pivots: Backend Senior → AppSec Junior — 4-8 месяцев (programming depth уже есть). Pentester / Bug Hunter → AppSec — 2-4 месяца (offensive intuition translates). DevSecOps Senior → AppSec — 2-4 месяца (security knowledge overlap). AppSec Senior → Product Security Architect — 2-4 years. В каких компаниях какая роль доминирует: Small startups — один человек = всё (hybrid Security Engineer / DevSecOps / AppSec). Medium (50-500 engineers) — separate roles. Big Tech (1000+ engineers) — Product Security team (synonyms: AppSec / Product Security) специальная отдельная organization от Corporate Security.

Reference secure SDLC pipeline 2026 (security integrated в каждой stage software development lifecycle): 1) Security training (continuous) — developers go through OWASP Top 10 + secure coding workshops + language-specific vulnerability training. Tools: SecureFlag, Codebashing (Checkmarx), Avatao (interactive training). Mandate: annual refresh + onboarding includes 4+ hour security module. 2) Threat modelling (per new feature / major change) — STRIDE methodology session с product / engineering / AppSec. Document attack surface + mitigations. Tools: Microsoft Threat Modeling Tool / OWASP Threat Dragon / IriusRisk (enterprise automation). Output: threat model document attached к design doc. 3) Secure design review — AppSec reviewer signs off на architecture decisions affecting security (auth flows, data handling, third-party integrations, crypto choices). 4) Pre-commit hooks — local Git hooks с secrets scanning (GitLeaks / TruffleHog) + IDE plugins (Semgrep / SonarLint / Snyk extensions flag vulnerabilities live). Reject commits с leaked secrets. 5) PR / MR creation — automated checks: SAST (Semgrep + CodeQL + SonarQube), SCA (Snyk + Dependabot — flag dependency vulnerabilities + auto-PR fix bumps), IaC security (Checkov), secrets scanning. PR block если critical findings. 6) Code review — security-flagged PRs автоматически tag AppSec team. Manual security code review для features touching auth / crypto / data handling. 7) Merge to main — full security scan suite в CI: deeper SAST (longer running), DAST staging environment scans (OWASP ZAP / StackHawk против staging API + UI), IAST (Contrast Security runtime if installed), license compliance scan (FOSSA / Snyk License Compliance). 8) Pre-release pentest (для major features) — internal AppSec team или external pentest engagement (Mandiant / Group-IB / BI.ZONE / NCC Group / Bishop Fox). Standard pentest = 5-15 days engagement. 9) Bug bounty program — public или private program на HackerOne / Bugcrowd / Intigriti / Standoff (Russian). Triage incoming reports — typical SLA: initial response 24h, validation 5d, fix 30-90d depending on severity. 10) Post-release continuous — runtime monitoring (RASP — Contrast Protect), API security monitoring (Salt / Noname / 42Crunch), WAF logs analysis (Cloudflare / AWS WAF), security metrics dashboard (mean-time-to-remediate per severity, AppSec posture score, % of features through secure design review). Cross-cutting: AppSec metrics tracked: MTTR (mean-time-to-remediate) для vulnerabilities, % of high-severity findings closed within SLA, security debt over time, OWASP SAMM / BSIMM maturity score, vulnerability density per KLOC. Compliance reporting: automated evidence collection для SOC 2 / ISO 27001 / PCI-DSS audits (Drata / Vanta / Secureframe). Senior AppSec owns этот entire pipeline + tuning false-positive rates + balancing security vs developer velocity.

Да, 57.1% AppSec Engineer-вакансий — full-remote или гибрид. AppSec work primarily code review + SaaS security tools + remote collaboration с engineering teams. Аутсорсеры (EPAM Security Practice / Luxoft AppSec / Andersen / DataArt Security) — почти всегда remote на US-AppSec projects. Российские банки + продуктовые (Сбер / Тинькофф / Яндекс / Ozon / VK / X5 Group / МТС AppSec teams) — гибрид или remote после probation + security background-check. Российские security vendors (Positive Technologies / Касперский / BI.ZONE / Solar / Wallarm) — гибрид или remote после background-check. Госкомпании — гибрид/офис за счёт security clearances. Международные tech-companies (Snyk / Veracode / Checkmarx / Synopsys / GitHub Advanced Security / HackerOne / Bugcrowd / Intigriti / Contrast Security) — full-remote standard. Big Tech Product Security (Meta / Google Bug Hunters / Apple Security / Microsoft MSRC / Amazon AppSec) — гибрид-standard. Bug bounty hunters могут быть полностью independent — Lifestyle full-remote, доход через bug bounty payouts (top bug hunters $100K-500K+/год от bounties). Релокант-хабы: Польша (Security-friendly EU) / Германия / Канада / Сербия. Английский для international AppSec-remote — must (security community / OWASP / Defcon / Black Hat / vendor docs Snyk / Veracode — англоязычные).

AppSec Engineer и Product Security Engineer — почти synonymous terms. Difference исторически: AppSec Engineer — широкий term (любой company), focus на security в application layer. Product Security Engineer — Meta / Google / Apple naming convention для внутренней роли. Same responsibilities (code review + threat modelling + secure design + bug bounty triage), но typically embedded в product team (vs centralized AppSec team). В Meta Product Security Engineer roles премиум-tier salary + RSU за счёт scale (миллиарды пользователей impacted by single security decision). Big Tech specific terminology: Google Security Engineer (general) часто == AppSec в Google specifically (vs Site Reliability Engineer = SRE — другая team). Apple Product Security = AppSec для конкретных Apple products (iOS / macOS / iCloud / etc) — extremely high bar (rare hiring + premium salary). Microsoft Security Response Center (MSRC) — specialty в Microsoft Product Security focused на external vulnerability reports + CVE coordination + patch tuesday releases. Career-выбор: AppSec Engineer (general) if хочешь mid-sized companies + broader scope, Product Security Engineer (Big Tech specific) if хочешь Big Tech salary tier + impact на массовую user base + длинный hiring funnel. Bug Bounty Triager / Security Researcher (internal) — sub-specialty Product Security focused на managing incoming bug bounty reports (триaging severity + reproducibility + fixing + paying bounties). Часто standalone role в companies с active bug bounty (HackerOne reputation top-100).

В топе: Сбер.Tech, Positive Technologies, Тинькофф. Российские банки (крупнейший channel за счёт regulatory + AppSec mandate from Central Bank): Сбер.Tech, Тинькофф, ВТБ, Газпромбанк, Альфа-Банк, Райффайзен, Россельхозбанк, МКБ, Открытие. Russian security vendors (AppSec-product специализация): Positive Technologies (PT Application Inspector — крупнейший Russian SAST vendor + Standoff Bug Bounty platform), Лаборатория Касперского (Kaspersky Container Security + Threat Attribution), BI.ZONE (BI.ZONE WAF + Bug Bounty), InfoWatch, Solar (МТС RED), Group-IB (FACCT post-split — DFIR + AppSec services), Wallarm (Russian-origin API Security + WAF — global), ScanFactory (Russian SCA — open-source-focused). Telecom security: МТС RED, Ростелеком Solar. Яндекс (Application Security + Yandex Cloud Security — крупная AppSec команда). Ozon / VK / Wildberries / X5 Group / МТС / Авито Product Security teams. JetBrains (Product Security для IDE + AI Assistant). Госкомпании: РТК / Ростелеком / Газпром / Роснефть. Аутсорсеры: EPAM Security Practice (крупнейший AppSec-аутсорс в СНГ для US-проектов), Luxoft Security, Andersen Security, DataArt Security. International tech-companies (full-remote премиум): Snyk (DevSecOps + AppSec hybrid leader), Veracode, Checkmarx, Synopsys (Coverity + Black Duck), GitHub Advanced Security (Microsoft), GitLab Ultimate Security team, Contrast Security (IAST + RASP), Salt Security, Noname Security (API Security), 42Crunch, HackerOne (largest bug bounty platform), Bugcrowd, Intigriti (European), YesWeHack, Synack, Cloudflare (WAF + Zero Trust). Big Tech Product Security (топ-tier salary): Meta Product Security (известна щедрыми bug bounty + AppSec salaries), Google Bug Hunters team, Apple Security, Microsoft Security Response Center (MSRC), Amazon AppSec. Y Combinator security startups + AI-focused security (e.g. HiddenLayer для ML model security, Protect AI) — emerging niche.

Roadmap: 1) Programming Backend Senior — без programming-depth нет AppSec. Минимум один язык deeply (Python / Java / Go / .NET / JavaScript) + reading-knowledge ещё 2-3. Это foundation. 2) OWASP Top 10 mastery — read official OWASP Top 10 (free PDF) + reproduce vulnerabilities в local lab (DVWA + WebGoat + Juice Shop — все free). «The Web Application Hacker's Handbook» Stuttard / Pinto (canonical AppSec book — must-read). 3) OWASP ASVS (Application Security Verification Standard) — comprehensive checklist, читать как reference. 4) Burp Suite mastery — PortSwigger Web Security Academy (free — best practical AppSec training 2026, must-do все labs). Get PortSwigger BSCP (Burp Suite Certified Practitioner) — premium AppSec cert. 5) SAST hands-on — Semgrep mastery (write custom rules в YAML для own codebase patterns + run на open-source projects). CodeQL learning (GitHub Advanced Security — free для open-source repos). 6) SCA hands-on — Snyk free tier + Dependabot setup для own GitHub project. Understand CVE / CVSS / EPSS prioritization. 7) Threat modelling practice — STRIDE methodology + Microsoft Threat Modeling Tool. Apply на own pet project. Книга: «Threat Modeling: Designing for Security» Adam Shostack (must-read для serious AppSec). 8) Bug bounty hands-on — register HackerOne / Bugcrowd / Intigriti / Standoff (Russian) account. Start с public programs + low-hanging fruits (CSRF + XSS + SSRF + IDOR на startup targets). Even small bounties build resume. 9) API Security (rising 2024+) — OWASP API Security Top 10 + 42Crunch labs (free). Practice API attacks через Burp + Postman. 10) Cryptography for developers — common pitfalls (alg=none JWT + ECB mode + insecure random + key reuse + length-extension attacks). Книга: «Practical Cryptography for Developers» Nakov (free online). 11) Language-specific vulnerability deep dives — pick chosen language + study its specific vulnerabilities (Java deserialization / Python pickle / Node.js prototype pollution / Go path traversal). 12) Offensive certs (highly recommended для AppSec credibility): OSCP (Offensive Security Certified Professional — broad offensive) → OSWE (Offensive Security Web Expert — AppSec-focused — premium для AppSec roles) → OSCE (advanced exploitation). 13) Pet-проект portfolio: a) full secure SDLC pipeline (12 stages) для own project — document как portfolio; b) Semgrep custom rule pack для specific vulnerability class; c) threat model document для realistic web application; d) bug bounty reputation (HackerOne ≥50 reputation points через valid findings). Курсы РФ: BI.ZONE Cybersecurity Academy, Positive Technologies Education, Securitm AppSec track, SkillFactory Cybersecurity. International (eng): PortSwigger Web Security Academy (free — best resource 2026, must-do), SANS SEC542 Web App Penetration Testing (premium), «Real-World Bug Hunting» Peter Yaworski (canonical bug bounty book), «Web Application Security» Andrew Hoffman (O'Reilly 2020). Books-must: «The Web Application Hacker's Handbook» Stuttard / Pinto (canonical despite age 2011), «Threat Modeling» Adam Shostack, «Real-World Cryptography» David Wong. Communities: OWASP local chapters (London / Russia / Singapore — meetups), r/netsec, r/AskNetsec, HackerOne Hacktivity (read public bug reports — best learning), Twitter AppSec community (follow @InsiderPhD, @stokfredrik, @nahamsec), Telegram @appsec_ru, @bug_bounty_ru. Backend Senior + 6 months focused AppSec training + bug bounty findings → AppSec Junior. Backend Senior + 2-3 years AppSec → Middle. Total 3-5 лет для Senior AppSec.

94 активных открытых AppSec Engineer-вакансий. География: EN, 🇷🇺 Россия, INT. Источники: hh.ru (особенно банки + Positive Technologies / Касперский / BI.ZONE active), Habr Career, getmatch, Djinni, LinkedIn (огромный международный AppSec сегмент через Snyk / Veracode / Checkmarx / HackerOne / Bugcrowd / Big Tech Product Security), NoFluffJobs / JustJoin.it (Польша AppSec-friendly), Telegram (@appsec_ru, @bug_bounty_ru, @cybersec_jobs, @security_ru), карьерные сайты EPAM Security Practice / Luxoft AppSec / Andersen / DataArt, специализированные борды (cybersecjobs.com, infosec-jobs.com, cyberseek.org), Y Combinator security startups, Russian security vendor careers (ptsecurity.com / kaspersky.com / bi.zone / wallarm.com / scanfactory.io), bug bounty platforms direct hiring (HackerOne careers — internal AppSec team / Bugcrowd / Intigriti / Standoff), RSA Conference / Black Hat / DEF CON AppSec Village hiring areas. Реальный рынок шире за счёт международного remote-сегмента (Snyk / Veracode / Checkmarx / Synopsys / GitHub Advanced Security / HackerOne / Bugcrowd / Contrast Security — full-remote-friendly) + Big Tech Product Security (Meta / Google / Apple / Microsoft / Amazon AppSec teams). Время закрытия Senior AppSec — 6-12 недель (longer чем general Security Engineer за счёт rare-skill combination — programming depth + multiple languages + security mindset + threat modelling experience).

Senior AppSec Engineer владеет полным циклом application security + technical leadership. Programming Backend Senior level: один язык deeply (Python / Java / Go / .NET / TypeScript) + reading-knowledge остальных. Must understand language-specific vulnerability classes deeply. SAST mastery: Semgrep custom rule authoring (deep — write business-logic-specific security rules в YAML), CodeQL queries (semantic analysis — premium for GitHub-native shops), SonarQube custom rules. Tune false-positive rates (typical mandate: <10% false-positive ratio). DAST mastery: Burp Suite Professional advanced (Burp Extensions authoring + Burp Collaborator для blind vulnerabilities + Burp Intruder advanced + Macros для authenticated scanning), OWASP ZAP automation в CI. SCA mastery: Snyk integration tuning, dependency vulnerability prioritization (CVSS + EPSS + exploitability score + actual usage analysis), license compliance handling. Threat modelling mastery: STRIDE methodology — lead sessions for major features, PASTA (process-driven) для critical systems, attack tree authoring, attack surface analysis. Secure design mastery: review architecture decisions affecting security (auth flows + crypto choices + data handling + third-party integrations), OWASP ASVS-based design review checklist. Auth / Authz deep: OAuth 2.1 + OIDC + SAML advanced (PKCE + token rotation + audience validation + RP-Initiated Logout), JWT pitfalls deep (alg=none + key confusion + JWS / JWE differences + signature stripping), session management patterns (HTTPOnly + SameSite + CSRF tokens + token binding). Cryptography review: TLS configuration review (cipher suite selection + perfect forward secrecy + certificate management), applied cryptography (proper random + symmetric vs asymmetric usage + key management + HSM integration). API Security mastery: OWASP API Security Top 10 — broken object level authorization (BOLA), broken authentication, excessive data exposure, lack of rate limiting, etc. Salt / Noname / 42Crunch integration patterns. Bug bounty program management: triage methodology (severity + reproducibility + impact assessment), researcher relationship management, public communication, payout decisions, CVE coordination. Vulnerability disclosure: design CVD programs, CVE assignment process (CNA role if applicable), advisory writing для customers. AppSec metrics ownership: MTTR per severity automation, AppSec posture scoring, OWASP SAMM / BSIMM maturity benchmarking, executive reporting к CISO. Compliance frameworks: SOC 2 + ISO 27001 + PCI-DSS-DSS audit support, automated evidence collection. Offensive security exposure: OSCP / OSWE / OSCE certifications strongly recommended — understanding attacker perspective makes for better defender. Programming для tooling: Python deep для custom security automation + linters / scanners development. System design для security: design secure architectures на whiteboard, threat-model на feature design reviews, design Zero Trust application architecture. Soft: ADRs writing для security decisions, security training development для engineers (workshops + onboarding + AppSec book club), code-review для security findings, executive communication (vulnerability reports to leadership), mentoring Middle AppSec engineers. Английский для Senior+ MUST — AppSec community / OWASP / Defcon / Black Hat / vendor docs полностью англоязычные. Optional bonus: published CVEs (CVE owner — premium для frontier-AppSec hiring), bug bounty reputation (HackerOne top-100 reputation), conference talks (DEF CON AppSec Village / OWASP AppSec / Black Hat), open-source contributions в security tools (Semgrep rules / OWASP ZAP / Snyk plugins) — резко повышают market value для Big Tech Product Security + premium security vendors hiring.

Данные собраны автоматически из 1000+ источников — Telegram-каналов вакансий и сайтов работы СНГ и Восточной Европы (HH, Habr Career, Djinni, DOU, NoFluffJobs, JustJoin.it, Pracuj.pl и других). Парсинг работает круглосуточно, дубликаты фильтруются по описанию и URL, аномальные значения зарплат отсекаются. Подробная методология — на странице «Как работает».