Penetration Testing Engineer

Role Description

• This role has a strong focus on ensuring the organization's infrastructure, applications, and systems are secure from external and internal threats.
• This role is responsible for conducting authorized security tests on IT infrastructure to evaluate the strength of its systems against potential cyberattacks.
• A variety of automated tools and manual techniques are leveraged to simulate real-world attacks.
• The penetration tester then works with the organization to prioritize, remediate, and report on identified issues, strengthening the overall security posture.

Roles & Responsibilities

• Perform security testing (e.g., penetration testing, code reviews) and ensure continuous security monitoring across the organization's IT landscape.
• Identify vulnerabilities in networks, systems, applications, and infrastructure through hands-on penetration testing.
• Attempt to exploit discovered vulnerabilities to demonstrate their impact and prove their existence (e.g., retrieving sensitive data, elevating user privileges, or gaining access to admin functionality).
• Perform assessments on web applications, cloud environments, and network infrastructure.
• Use automated tools and manual techniques to identify security weaknesses.
• Conduct advanced post-exploitation tasks to simulate real-world attack scenarios.
• Work with third-party security vendors for audits, product testing, and external assessments when required.
• Use automated tools (e.g., Burp Suite, OWASP ZAP, or Acunetix) to identify common vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and others.
• Document identified vulnerabilities in detail, explaining how they were found, their severity, and their potential impact. Include proof-of-concept (PoC) for critical vulnerabilities.
• Offer actionable, practical solutions for fixing the vulnerabilities, such as secure coding practices, configuration changes, or security controls.
• Use risk-based prioritization, categorizing issues by their severity and business impact (e.g., high, medium, low) to help the organization focus on the most critical issues.
• Continuously learn about the latest vulnerabilities, exploits, and security trends.
• Present the findings to stakeholders, security teams, and management, explaining the business risk and potential impacts of the vulnerabilities discovered.
• Familiarity with industry standards and compliance requirements (e.g., PCI-DSS, NIST, ISO 27001) and their relevance to penetration testing.

Basic Qualifications and Experience

• Master's degree with 12 years of experience in Computer Science, Cybersecurity or Information Systems related field OR
• Bachelor's degree with 24 years of experience in Computer Science, Cybersecurity or Information Systems related field OR
• Diploma with 46 years of experience in Computer Science, Cybersecurity or Information Systems related field

Functional Skills

Must-Have Skills:

• Strong knowledge of common vulnerabilities (e.g., OWASP Top 10, SANS Top 25), network protocols, encryption standards, application security and common penetration testing methodologies (ISSAF, OSSTMM, PTES).
• Familiarity with tools like Burp Suite, OWASP ZAP and Metasploit.
• A deep understanding of web application architecture, databases, and authentication mechanisms.
• Ability to think critically and creatively when testing and attempting to exploit vulnerabilities.

Good-to-Have Skills:

• Experience with threat intelligence and incorporating emerging threats into penetration testing practices.
• Proficiency in scripting and automation (e.g., Python, Bash) is a plus.

Professional Certifications

• Preferred: eJPT, eCPPT, eWPT, OSCP, OSWA, GWAPT

Soft Skills:

• Strong analytical and troubleshooting skills
• Strong verbal and written communication skills
• Ability to work effectively with global, virtual teams
• High degree of initiative and self-motivation
• Team oriented, with a focus on achieving team goals
• Strong presentation and public speaking skills