Penetration Tester Junior

About NopalCyber

NopalCyber makes cybersecurity manageable, affordable, reliable, and powerful for companies that need to be resilient and compliant. Through Managed Extended Detection and Response (MXDR), Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Advisory Services, we fortify our clients’ cybersecurity across both offense and defence.

Our AI-driven Nopal360° platform, NopalGo mobile app, and proprietary Cyber Intelligence Quotient (CIQ) enable organizations to quantify, track, and visualize their cybersecurity posture in real time. We democratize enterprise-grade security operations for organizations of all sizes by lowering the barrier to entry while raising the bar for security and service.

Job location

Employment Type

Key Responsibilities

• Assist in discovering and inventorying external-facing assets (domains, IPs, cloud services, APIs, etc.) as part of ongoing Attack Surface Discovery (ASD) efforts.
• Help identify unknown, unmanaged, or misconfigured assets and support remediation to improve Attack Surface Management (ASM/EASM).
• Operate and maintain open-source or internal tools for automated asset enumeration, monitoring, and vulnerability scanning.
• Collect and analyse DNS records, SSL certificates, WHOIS data, and public metadata to map assets to the organization.
• Work closely with security, infrastructure, and cloud teams to ensure visibility across on-premises, cloud, and hybrid environments.
• Assist in evaluating and integrating ASM/EASM platforms and automation workflows.
• Support the planning and execution of vulnerability assessments and limited penetration testing of external-facing assets, web apps, and APIs under supervision.
• Run and interpret Dynamic Application Security Testing (DAST) scans (authenticated and unauthenticated) to identify application-layer vulnerabilities.
• Validate, track, and assist with remediation of findings from DAST and ASD activities.
• Stay current with emerging attack vectors and vulnerabilities relevant to attack surface management and web application security.
• Conducting research to identify new attack vectors.

Required Skills & Experience

• 1–3 years of experience in cybersecurity, IT, or a related technical role (security operations, vulnerability management, cloud security).
• Basic knowledge of asset discovery tools/methods (e.g., Subfinder, Amass, Shodan, Censys, Nmap), OSINT framework and ASM/EASM concepts.
• Understanding of TCP/IP and/or OSI Models, common Internet protocols/services (DNS, HTTP/S, SMTP, etc.) and their impact on external exposure.
• Exposure to or hands-on experience with DAST tools (e.g., OWASP ZAP, Burp Suite, or similar) and basic VAPT methodologies for web apps and APIs.
• Familiarity with scripting/automation using Python, Bash, or similar languages to streamline discovery or scanning tasks.
• Ability to analyse and correlate data from multiple sources to track and verify digital assets.
• Strong curiosity and investigative mindset with attention to detail.
• Ability to assist in developing and presenting comprehensive attack surface discovery reports, identifying external asset exposures, and recommending prioritized remediation actions aligned with organizational security policies.
• Good communication skills and ability to document and present findings in customers calls clearly.

Educational Qualifications

• Bachelor’s degree in engineering, Computer Science, or related discipline.
• CEH Certification is mandatory.
• Ability to script custom reconnaissance or scanning tools (Python, Bash, etc.).
• Familiarity with OWASP Top 10, API security, and secure cloud architecture.
• Participation in CTFs, security research, or responsible disclosure programs.

Personal Attributes

• Self-starter and quick learner requiring minimal ramp-up
• Excellent written, oral, and interpersonal communication skills
• Highly self-motivated, self-directed, and attentive to detail
• Ability to effectively prioritize and execute tasks in a high-pressure environment