Cybersecurity Penetration Tester

Location: Remote, United States
Job Type: Full-Time / Contract / Specialist
Work Arrangement: Remote
Department: Cybersecurity / Offensive Security / Security Testing / Application Security
Reports To: Head of Security / Offensive Security Lead / Security Manager / CISO

Role Overview

We are seeking a technically strong and detail-oriented Cybersecurity Penetration Tester to perform ethical hacking and penetration testing across applications, APIs, infrastructure, cloud environments, and internal systems. This role is responsible for identifying security weaknesses through controlled testing, validating exploitable risks, documenting findings clearly, supporting remediation efforts, and helping improve the organization’s secure release readiness.

The ideal candidate has hands-on experience with both manual and tool-based penetration testing and is comfortable assessing web applications, APIs, cloud services, internal networks, and supporting systems for real-world security exposure. This person should be able to think like an attacker while maintaining disciplined testing practices, strong reporting standards, and clear communication with technical and non-technical stakeholders.

This is a remote USA-based role, suited for someone with strong offensive security capability, practical knowledge of common attack paths, and the ability to translate technical findings into actionable remediation guidance.

Key Responsibilities

Penetration Testing & Vulnerability Assessment

• Conduct vulnerability assessments and penetration tests across web applications, APIs, internal systems, infrastructure, cloud environments, and supporting platforms
• Perform ethical hacking activities in a controlled and authorized manner to identify exploitable weaknesses and security gaps
• Assess systems for misconfigurations, insecure logic, exposed services, weak access controls, and common technical vulnerabilities
• Use both manual testing techniques and approved security tools to validate risk in realistic attack scenarios
• Prioritize testing activities based on business criticality, exposure, and risk profile

Application, API & Internal Systems Testing

• Test web applications, APIs, portals, dashboards, authentication flows, and internal platforms for security weaknesses
• Assess application security against common attack paths such as injection flaws, broken authentication, insecure direct object access, access control weaknesses, logic abuse, and session handling issues
• Evaluate internal systems and infrastructure for privilege escalation opportunities, lateral movement risks, insecure services, weak segmentation, or exploitable configurations
• Support targeted assessments of new releases, high-risk applications, and business-critical systems
• Help improve confidence in the security posture of customer-facing and internal technology assets

Cloud & Infrastructure Security Testing

• Perform assessments across cloud resources, infrastructure components, exposed services, administrative interfaces, and connected systems
• Review attack surfaces across cloud and hybrid environments to identify security weaknesses, configuration gaps, and excessive exposure
• Assess identity-related weaknesses, storage exposure, misconfigurations, insecure network paths, and privilege issues where relevant
• Support security testing of infrastructure components that influence production readiness and operational resilience
• Help strengthen security posture across modern infrastructure environments through practical offensive testing insights

Findings Documentation & Remediation Guidance

• Document findings clearly, accurately, and professionally with severity, technical detail, business context, and remediation recommendations
• Prepare reports that explain exploited weaknesses, attack paths, affected assets, evidence, risk implications, and next-step recommendations
• Translate technical findings into actionable remediation guidance for engineering, infrastructure, product, or security teams
• Ensure reporting is structured for both technical audiences and management stakeholders where needed
• Maintain high standards of technical reporting and evidence handling throughout each engagement

Re-Testing & Validation

• Validate fixes through re-testing after remediation actions have been completed
• Confirm whether vulnerabilities have been properly resolved, partially mitigated, or remain exposed
• Work with technical teams to clarify reproduction steps, remediation expectations, and residual risk where needed
• Support secure release readiness by helping ensure critical vulnerabilities are resolved before production rollout
• Contribute to stronger remediation accountability and more effective security closure processes

Security Readiness & Continuous Improvement

• Support secure release readiness by identifying security issues early in the delivery lifecycle where possible
• Help improve testing scope, methodology, reporting quality, and remediation workflows over time
• Contribute to repeatable security testing practices, playbooks, and assessment standards
• Share relevant insights on recurring weaknesses, common attack paths, and systemic security improvement areas
• Work with security and engineering teams to strengthen overall security maturity through practical offensive testing input

Requirements

• Bachelor’s degree in Cybersecurity, Information Security, Computer Science, Information Systems, or a related field preferred
• Proven experience in penetration testing, offensive security, ethical hacking, vulnerability assessment, or application security testing
• Experience with manual and tool-based penetration testing
• Strong knowledge of OWASP, common attack paths, and exploit techniques
• Experience testing web applications, APIs, infrastructure, internal systems, or cloud environments
• Strong technical reporting ability with clear remediation documentation
• Ability to identify, validate, and explain real-world security weaknesses
• Strong understanding of attacker techniques, common vulnerabilities, and security testing workflows
• Strong analytical thinking and technical problem-solving skills
• Ability to work responsibly and effectively in a remote and security-sensitive environment

Preferred Qualifications

• Familiarity with testing methodologies and frameworks such as OWASP Top 10, API Security Top 10, PTES, NIST guidance, or similar
• Experience with tools such as Burp Suite, Nmap, Metasploit, Nessus, Nikto, ffuf, sqlmap, Wireshark, Postman, or similar
• Exposure to cloud security testing across AWS, Azure, or Google Cloud
• Experience assessing authentication systems, identity flows, role-based access models, and internal network trust boundaries
• Understanding of secure development practices, remediation strategies, and secure release validation
• Experience supporting security reviews in SaaS, enterprise, fintech, health, or regulated environments
• Relevant certifications such as OSCP, PNPT, CEH, GWAPT, GPEN, eJPT, or similar are a plus
• Experience working with developers, DevOps teams, cloud teams, or security engineering teams on remediation and retesting is advantageous

Core Skills

• Penetration testing
• Ethical hacking
• Vulnerability assessment
• Web application security testing
• API security testing
• Infrastructure security testing
• Cloud security testing
• Exploit validation
• Remediation reporting
• Re-testing and fix validation
• OWASP knowledge
• Attack path analysis
• Technical documentation
• Secure release support
• Offensive security analysis

Key Competencies

• Strong technical curiosity
• High attention to detail
• Structured investigative thinking
• Strong ethical judgment
• Clear technical communication
• Ability to balance depth with practicality
• Strong analytical problem-solving
• Ownership and accountability
• Discipline in testing and evidence handling
• Continuous improvement mindset

Success Metrics

• High-quality penetration test coverage across critical systems
• Clear, accurate, and actionable vulnerability reporting
• Effective identification of exploitable weaknesses before production impact
• Strong remediation validation and retesting outcomes
• Improved secure release readiness across tested applications and environments
• Positive collaboration with engineering, infrastructure, and security teams
• Reduced recurring security weaknesses through better testing insight and follow-up

Working Conditions

• Fully remote role based in the United States
• Standard business hours aligned with U.S. time zones, with flexibility depending on testing windows or coordinated assessments
• Frequent collaboration with security, engineering, DevOps, cloud, infrastructure, and product teams through virtual meetings and security workflows
• May support multiple assessments, re-testing cycles, or security review workstreams at the same time