Hard to give you a definitive answer on this one. I’d say you’d be hard-pressed right now to pull that off without a direct referral or other networked way-in. Job market is condensing, lots of (experienced) out-of-work folks looking for new roles, etc… If you aren’t already in infosec, or you’re not a full-time dev with some security knowledge, it will be tough. Your best bet (roughly) on things to add to your skills/portfolio would be…
Proficiency with one or more languages that your target role company uses (and evidence of this XP)
In-depth knowledge of OWASP “stuff” (Top 10, ASVS, etc…)
Practical XP with attacks/exploits (via experience, CTFs, trainings, Web Security Academy, etc…)