Leading Penetration Tester

We are seeking a highly skilled and relentless Penetration Tester to lead complex offensive security operations across modern web applications, mobile platforms, APIs, and hybrid network environments. This is not a scanner role we’re looking for someone who thrives in deep manual analysis, can creatively bypass hardened defenses, and pivot through segmented networks like a true adversary.

• Conduct advanced manual penetration testing across applications and infrastructure, uncovering business logic abuses, race conditions, and chained vulnerabilities beyond the scope of automated tools;
• Execute black-box and gray-box engagements with and without credentials, simulating persistent threat actors with advanced TTPs;
• Perform deep-dive manual secure code reviews across various tech stacks, identifying subtle implementation flaws in logic, cryptography, and access control;
• Develop custom tooling, payloads, or exploits when commercial or open-source solutions fall short;
• Participate in or lead red team engagements, including phishing, physical intrusion planning, and lateral movement through complex enterprise networks;
• Act as a strategic partner to DevSecOps and Product teams, proactively shaping secure architecture and mitigating threats early in the SDLC;
• Mentor junior team members and contribute to internal offensive R&D, methodology refinement, and tooling innovation.

• Minimum 2+ years of proven hands-on experience conducting advanced penetration tests across diverse environments, including internal/external infrastructure, cloud environments, APIs, and client-facing applications;
• Deep expertise in manual exploitation techniques — not reliant on scanners — across web, network, wireless, mobile (iOS/Android), and API attack surfaces;
• Hands-on understanding of CI/CD security integration, with the ability to inject custom or open-source security tooling into automated pipelines (GitHub Actions, GitLab CI, Jenkins, etc.);
• Mastery of multiple operating systems, including Windows (Active Directory environments), Linux/Unix, and mobile platforms like iOS and Android, especially from an attacker’s perspective;
• Strong grasp of modern web/mobile application architectures, including microservices, containerization (Docker/Kubernetes), authentication/authorization protocols (OAuth2.0, SAML, OpenID Connect), and modern front-end frameworks;
• Proficient in at least one scripting or programming language such as Python, JavaScript, Bash, Go, or PowerShell — and capable of building tools, exploits, or automation scripts when needed;
• One or more advanced offensive security certifications are highly preferred and demonstrate your technical depth. Examples include:
• OSCP, OSWE, OSEP, CRTO, CRTL, eWPT, eWPTX, eMAPT, eCPPT, eCPTX.