Sr. Penetration Tester

Job Description

U.S. Bank is seeking a Senior Penetration Tester (Web/API/Mobile) with demonstrated competence and experience to contribute toward the success of our information security program. As a Senior Penetration Tester, you will be responsible for assessing the security of our web/mobile applications and APIs by identifying vulnerabilities, performing exploitations, and recommending mitigation strategies to enhance their resilience against cyber threats. This role requires a deep understanding of web/mobile application security principles, advanced penetration testing techniques, and the ability to work collaboratively with cross-functional teams.

Responsibilities

• Lead dynamic penetration testing against hardened web/API and mobile applications to uncover vulnerabilities and leverage manual exploitation techniques, demonstrating business impact.
• Deliver clear, actionable reports that include detailed findings, vulnerability scoring, and remediation guidance tailored to technical and non-technical teams.
• Continuously evolve testing methodologies by researching emerging threats, tools, and techniques, applying them to improve assessment strategies and team capabilities.
• Maintain a balance between hands-on testing and supporting broader team initiatives, including process optimization, tool/script development, and knowledge sharing.

The role offers a hybrid/flexible schedule, which means there’s an in-office expectation of 3 or more days per week and the flexibility to work outside the office location for the other days at one of the following locations:

• Cincinnati, OH

Basic Qualifications

• Bachelor's degree in Engineering or Science, or equivalent work experience
• Eight or more year of experience in information security
• Two or more years of experience in IT infrastructure management, application architecture, risk management, data architecture, middleware technology, and IT operations and project management

Preferred Skills/Experience

• Web & API Penetration Testing: 5+ years of hands-on experience with modern web applications and APIs. Deep understanding of OWASP Top 10, API Security Top 10, and SANS Top 25 vulnerabilities.
• Manual Testing & Exploitation: Advanced proficiency in identifying and exploiting vulnerabilities in web apps and APIs using tools like Burp Suite Pro, Postman/Insomnia, and custom scripts; skilled in uncovering business logic flaws, access control issues, and chaining exploits to demonstrate real-world impact.
• Mobile Application Security: Familiarity with Android and iOS testing methodologies and platform-specific risks, including OWASP MASVS and MASTG.
• Technical Proficiency: Strong scripting skills (Python, PowerShell, Bash, Ruby, Go). Solid grasp of HTTP/S, authentication protocols (OAuth, SAML, JWT), and network fundamentals (TCP/IP, DNS, firewalls, IDS/IPS).
• Cloud & Platform Fluency: Comfortable testing in cloud environments (AWS, Azure, containers/Kubernetes). Experienced across Linux, Windows, and macOS platforms. Familiarity with cloud-native security and assessment tools (e.g., AWS Inspector, Azure Defender, ScoutSuite,) and common misconfiguration exploitation techniques.
• Tooling & Automation: Experience developing custom tools and scripts to automate testing workflows. Familiarity with tools such as Nmap, Metasploit, and Kali Linux.
• Threat Modeling & Risk Assessment: Ability to perform threat modeling and risk assessments to prioritize testing efforts and communicate business impact.
• Regulatory & Compliance Awareness: Understanding of compliance frameworks such as PCI-DSS, HIPAA, NIST 800-53, ISO 27001, and FedRAMP.
• Communication & Documentation: Excellent written and verbal communication skills. Experienced in technical writing and clearly articulating findings to both technical and non-technical audiences, including executive leadership.
• Leadership & Mentorship: Proven ability to lead engagements, manage stakeholder expectations, and mentor junior testers.
• Certifications: OSWE, OSEP, OSCP, GWAPT, GPEN, GMOB, OSWA, or equivalent.
• Additional Experience: Source code review, ServiceNow Application Vulnerability Response, and understanding of change control and security architecture.