Overview
Skills
Job Details
Comtech LLC is seeking a highly skilled Lead Penetration Tester to spearhead the execution of the PSD Database Penetration Testing Project under the State of Vermont s Agency of Digital Services (ADS). The Lead Penetration Tester will be responsible for planning, conducting, and documenting comprehensive penetration tests across critical systems, applications, and databases, ensuring vulnerabilities are identified, validated, and communicated with actionable remediation strategies.
This position requires deep expertise in both black-box and authenticated penetration testing, with advanced proficiency in exploiting vulnerabilities in web applications, REST APIs, operating systems, and databases. The Lead Tester will collaborate closely with cybersecurity engineers, analysts, and the Project Manager to meet all testing milestones defined within the project SOW.
The Lead Penetration Tester will be responsible for tasks including but not limited to:
- Lead the end-to-end penetration testing effort for the PSD database environment and associated systems per the project SOW.
- Develop detailed penetration test plans, methodologies, and rules of engagement (ROE) aligned with NIST SP 800-115, OWASP, and CIS standards.
- Conduct external, internal, and web application penetration tests, including black-box, gray-box, and authenticated assessments.
- Perform detailed testing on REST APIs, authentication mechanisms, and session management controls.
- Execute network, database, and operating system exploitation to demonstrate the practical impact of identified vulnerabilities.
- Utilize both commercial and open-source tools (Burp Suite, Metasploit, Nmap, Nessus, SQLmap, Hydra, Cobalt Strike, etc.) to perform in-depth analysis.
- Develop and maintain custom scripts and exploits to verify vulnerability exploitation and validate remediation effectiveness.
- Generate and present technical and executive-level reports, detailing vulnerabilities, exploitation methods, risk ratings, and recommended mitigations.
- Work with client stakeholders to remediate and validate fixes through post-mitigation retesting.
- Ensure all testing and data handling activities are compliant with ADS cybersecurity policies, data privacy standards, and federal/state security requirements.
- Participate in status meetings, risk reviews, and deliverable walkthroughs with ADS/PSD stakeholders and Comtech s internal project management team.
- Support creation of the final Penetration Testing Report, Remediation Validation Report, and Destruction Attestation Report per SOW.
Required Qualifications - Lead Penetration Tester |
Bachelor s degree in Cybersecurity, Computer Science, Information Systems, or related technical field. | |
8+ years of hands-on experience in penetration testing, vulnerability assessment, and exploitation. | |
Proven expertise in black-box, gray-box, and authenticated penetration testing of applications, APIs, and infrastructure. | |
Demonstrated experience with REST API assessments, parameter fuzzing, and token-based authentication testing. | |
Strong working knowledge of OWASP Top 10, NIST SP 800-53/115, CIS Controls, and common exploit frameworks. | |
Experience performing manual and automated vulnerability validation using tools such as Burp Suite, OWASP ZAP, Nessus, Metasploit, Cobalt Strike, and Nmap. | |
Proficiency with scripting languages such as Python, Bash, or PowerShell for automation and custom testing. | |
Strong understanding of Active Directory, Windows/Linux hardening, and cloud environment security (AWS/Azure). | |
Excellent written and verbal communication skills, capable of producing executive-ready reports and technical documentation. | |
Ability to maintain the highest level of professionalism and discretion when handling sensitive client data. | |
Mandatory Certifications - Lead Penetration Tester | |
Offensive Security Certified Professional (OSCP) | |
Certified Information Systems Security Professional (CISSP) | |
Certified Ethical Hacker (CEH)) | |
GIAC Penetration Tester (GPEN) (preferred) |