Senior Penetration Tester

Location: United States (Remote)

Experience: 5 plus years in offensive security or penetration testing

Employment Type: Full-time or Contract (depending on fit)

Role Overview

We are seeking a Senior Penetration Tester with deep hands-on offensive security experience across modern enterprise environments. This role goes beyond running scanners. You will simulate real-world adversaries, identify complex attack paths, validate exploitability, and clearly communicate risk to both technical and executive stakeholders.

The ideal candidate demonstrates strong technical depth, disciplined methodology, and sound judgment, with experience testing cloud-native, SaaS, and hybrid environments.

Key Responsibilities

• Conduct manual penetration tests across web applications, APIs, internal networks, cloud infrastructure, and enterprise environments
• Perform red-team style attack simulations, including privilege escalation, lateral movement, and data exfiltration scenarios
• Execute cloud penetration testing in AWS, Azure, and or GCP environments
• Test REST and GraphQL APIs, authentication flows, and authorization boundaries
• Identify and validate business logic flaws, chained vulnerabilities, and real-world exploit paths
• Develop custom proof-of-concept exploits and tooling when automated tools are insufficient
• Produce high-quality reports with clear remediation guidance and risk prioritization
• Partner with engineering, security, and leadership teams to explain findings and drive remediation
• Mentor junior testers and contribute to internal testing standards and methodologies
  

Required Qualifications

• 5 or more years of hands-on penetration testing or offensive security experience
• Strong understanding of networking, operating systems, and application security
• Advanced experience with manual web application testing, including OWASP Top 10 and beyond
• Deep knowledge of authentication and authorization weaknesses, including OAuth, SAML, JWT, and session management
• Proven experience testing cloud environments (IAM, storage, networking, misconfigurations, privilege escalation)
• Proficiency with common tools such as Burp Suite, Metasploit, Nmap, BloodHound, and custom scripts
• Working knowledge of scripting or programming (Python, Bash, PowerShell, JavaScript, or similar)
• Strong written and verbal communication skills, with the ability to explain risk clearly
  

Preferred

• Experience with red team operations or adversary emulation frameworks
• API security specialization, including rate-limit bypasses and auth abuse
• Container and Kubernetes security testing
• Mobile application penetration testing (iOS or Android)
• Familiarity with CI/CD pipeline security and supply-chain attack vectors
• Contributions to open-source security tools, research, or published findings
  

Certifications (Preferred)

• OSCP, OSCE, CRTO, GWAPT, or equivalent offensive security certifications
• Cloud security certifications with hands-on focus
  

Work Authorization, Location

• Must be U.S.-based
• Must be authorized to work in the United States
• Fully remote role
  

What We Value

• Strong bias toward manual testing and critical thinking over automated scanning
• Clear, concise, and professional communication
• Integrity, discretion, and responsible disclosure mindset
• Ability to operate independently while collaborating effectively