cyber security engineer

Job Summary

The Penetration Testing Engineer will be responsible for conducting in-depth web application, mobile application, and API security testing across business-critical platforms.

The role requires hands-on expertise in Burp Suite, deep understanding of offensive security methodologies, and the ability to identify, exploit, and document security vulnerabilities.

The engineer will work closely with development, DevSecOps, and risk teams to ensure secure SDLC practices and support remediation of discovered vulnerabilities.

Years of experience needed 5 8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test

Key Responsibilities:

1. Penetration Testing & Vulnerability Assessment

• Perform manual and automated penetration testing on web, mobile, and API endpoints.
• Use Burp Suite Professional extensively for intercepting, modifying, and exploiting HTTP/S traffic.
• Conduct source code-assisted testing when applicable to identify deeper logic flaws.
• Simulate real-world attack scenarios using OWASP Top 10, SANS 25, and API Security Top 10 frameworks.
• Identify authentication, authorization, session management, and input validation flaws.

1. API Security Testing

• Perform REST and GraphQL API penetration testing, including JWT, OAuth, and token manipulation.
• Validate business logic vulnerabilities and parameter tampering across microservices.
• Use tools such as Postman, Burp Suite, and OWASP ZAP for fuzzing, interception, and payload injection.
• Validate API schema misconfigurations, rate limiting, and data exposure issues.

1. Offensive Security & Exploitation

• Execute custom payloads and exploits to demonstrate risk severity to stakeholders.
• Develop proof-of-concept (PoC) exploits to validate identified vulnerabilities.
• Emulate attacker tactics, techniques, and procedures (TTPs) from MITRE ATT&CK and CWE references.
• Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization.

1. Reporting & Remediation Support

• Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations.
• Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes.
• Participate in vulnerability triage and retesting post-remediation.
• Present reports to technical and management stakeholders in clear, risk-prioritized language.

1. Security Process & Continuous Improvement

• Integrate testing results into CI/CD pipelines where possible (DevSecOps enablement).
• Contribute to secure coding guidelines and training sessions for developers.
• Evaluate emerging attack trends, new CVEs, and offensive security tools to keep the testing framework current.
• Assist in developing internal scripts, extensions, or automation workflows for testing efficiency.
  
  

We are an equal opportunity employer. All aspects of employment including the decision to hire, promote, discipline, or discharge, will be based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, national origin, citizenship/ immigration status, veteran status, or any other status protected under federal, state, or local law.