Application Pen Tester (W2)

Title: Application Pen Tester
Duration: 12-month
Location:  Charlotte NC/Hybrid

Visa: USC
W2 Role  

Other locations: Dallas, Minneapolis, Chandler, Des Moines, Columbus, Raleigh, San Antonio

Client is seeking an Application Pen Tester to identify, validate, and exploit security vulnerabilities through hands-on, manual testing across a broad range of application technologies. Browser-based/web and API testing are required, along with experience in one or more of the following: mobile, mainframe, or thick client testing. Successful candidates will have demonstrable, real-world manual penetration testing experience and be comfortable going beyond automated scanner output to reproduce, validate, and investigate findings. Success in this role means delivering high-confidence, reproducible vulnerabilities with clear evidence and practical remediation guidance, and partnering with application teams to drive timely fixes.

In this role, you will:

• Conduct application penetration testing across browser-based/web applications, APIs, and mobile applications (and where applicable mainframe and thick client applications) using primarily manual techniques supplemented by automated tools; include authentication/authorization testing and business-logic abuse cases where applicable
• Configure and tune automated tools to support testing, improve coverage, and accelerate discovery (as a complement to manual testing)
• Perform deep defect analysis by reproducing, validating, and safely demonstrating impact (including chained attack paths when applicable); triage and disposition false positives from automated tooling
• Produce clear, reproducible technical reports with evidence (steps to reproduce, impacted components/endpoints, and risk/impact) and practical remediation guidance
• Collaborate with application and security teams to ensure shared understanding of defects, prioritization, and remediation paths; support defect walkthroughs and follow-up questions as needed
• Support continuous improvement of testing methodologies and processes leveraging industry standards and best practices
• Collaborate with other members of the team to share knowledge and complete peer reviews of reports
• Communicate findings and risk clearly to technical and non-technical stakeholders, support readouts, status updates, and remediation Q&A

Required Qualifications:

• 2+ years of Cybersecurity Research experience, or equivalent demonstrated through one or a combination of the following: work experience, training, military experience, education
• 2+ years of hands-on application penetration testing experience (manual testing required), beyond reviewing/validating automated scanner results
• 2+ years of Dynamic Application Security Testing (DAST) experience, including tool configuration/tuning and manual verification of findings

Desired Qualifications:

• Advanced experience with testing tools such as Burp Suite, Invicti, WebInspect, and Fiddler (and applying them to web, API, mobile, and thick client testing as applicable)
• Strong knowledge of application security and common vulnerabilities (OWASP Top 10)
• Experience with scripting and automation (e.g., Python, Shell)
• Knowledge of security best practices and compliance standards (e.g., PCI DSS, GDPR)
• Excellent communication skills and the ability to collaborate effectively with cross-functional teams
• Strong problem-solving and analytical skills
• Demonstrated knowledge of AI/ML-enabled applications and common security risks (for example, prompt injection, sensitive data exposure, and insecure integrations)
• Security certifications such as OSCP, BSCP, GWAPT, GPEN, GXPN or equivalent are a plus

Thanks & Regards.

Aviral Sapra

Voto Consulting LLC

Direct #: