Senior Penetration Tester

Location:Remote (U.S.-based preferred) Duration: 1.5 MonthsClearance:Preferred (Public Trust / Secret / Top Secret varies by project)

About the Role

We are seeking a highly skilled Senior Penetration Tester / Application Security Engineer to join our cybersecurity team. This role focuses on identifying, exploiting, and validating vulnerabilities across web applications, APIs, mobile platforms, and enterprise infrastructure.

You will perform real-world attack simulations, partner with engineering teams, and provide actionable remediation guidance to strengthen the organization's security posture.

Key Responsibilities

• Conduct web application, API, mobile, and network penetration testing
• Perform manual and automated vulnerability assessments
• Identify and exploit vulnerabilities aligned with OWASP Top 10
• Execute end-to-end penetration testing lifecycle:
  • Reconnaissance
  • Scanning & enumeration
  • Exploitation
  • Post-exploitation
  • Reporting
• Perform threat modeling and risk assessments
• Test authentication, authorization, and session management controls
• Conduct API security testing (REST, SOAP, GraphQL)
• Simulate real-world attack scenarios (red team-style engagements)
• Validate vulnerabilities and develop proof-of-concepts (PoCs)
• Collaborate with DevOps and engineering teams to drive remediation
• Produce detailed technical reports and executive summaries
• Support secure SDLC and DevSecOps initiatives
• Stay current with emerging threats, tools, and techniques

Required Qualifications

• 5+ years of experience in penetration testing or application security
• Strong expertise in:
  • Web application security vulnerabilities (OWASP Top 10)
  • API security testing
  • Network and infrastructure security
• Hands-on experience with tools such as:
  • Burp Suite, OWASP ZAP, Nmap, Nessus, Metasploit, SQLMap
• Experience with manual testing techniques (not just automated scans)
• Knowledge of:
  • Authentication & access control flaws (IDOR, OAuth, JWT, etc.)
  • Common exploits (SQLi, XSS, CSRF, SSRF, RCE)
• Familiarity with scripting (Python, Bash, or similar)
• Experience with Linux-based testing environments (e.g., Kali Linux)
• Strong understanding of:
  • TCP/IP, DNS, firewalls, and network protocols
• Excellent communication and reporting skills

Preferred Qualifications

• Experience with:
  • Cloud security (AWS, Azure, GCP)
  • Containerized environments (Docker, Kubernetes)
  • CI/CD and DevSecOps integration
• Background in:
  • Red teaming or adversary simulation
  • Threat modeling methodologies (e.g., STRIDE)
• Certifications such as:
  • OSCP, CEH, Security+, CySA+, GPEN, GWAPT
• Experience working in federal or regulated environments (NIST, RMF, FedRAMP)