Manual Application Penetration Tester (Web & API)

Job Title:

Manual Application Penetration Tester (Web & API)

Contract Type:

Contract

Role Overview

We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation.

The ideal candidate can independently execute penetration testing engagements, clearly articulate findings to both technical and non-technical audiences, and guide remediation efforts.

Key Responsibilities

• Perform manual application penetration testing of:

  • Web applications
  • REST & SOAP APIs
  • Mobile applications (iOS/Android – nice to have)
  • Thick client applications (where applicable)

• Conduct business logic testing, threat modeling, and application architecture reviews

• Identify and exploit vulnerabilities including (but not limited to):

  • IDOR / BOLA
  • Authentication & authorization flaws
  • Session management issues
  • Injection flaws (SQLi, XSS, XXE, etc.)
  • Logic flaws missed by automated scanners

• Perform objective-based and abstract penetration testing engagements

• Develop and demonstrate proof-of-concept (PoC) exploits

• Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.)

• Present findings via live demos, written reports, and client readouts

• Clearly communicate risks, impact, and remediation guidance

• Work independently with minimal oversight while meeting delivery timelines

Required Qualifications

• 5+ years of recent experience in manual application penetration testing

• Strong experience testing:

  • Web applications
  • APIs (REST / SOAP)

• Hands-on expertise with Burp Suite Pro

• Proven ability to perform manual exploitation (not scanner-only testing)

• Experience communicating results to both technical and non-technical stakeholders

• Ability to lead remediation discussions and retesting efforts

• Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience

Preferred Qualifications

• Mobile application penetration testing (iOS / Android)

• Experience with tools such as:

  • Netsparker
  • OWASP ZAP
  • Postman / SoapUI

• Experience with OAuth, JWT, and modern authentication mechanisms

• Ethical hacking certifications (preferred, not required):

  • GWAPT
  • OSWE
  • OSWA
  • CREST

Nice-to-Have Experience

• Threat modeling frameworks (STRIDE, PASTA, etc.)

• Secure SDLC / DevSecOps exposure

• Client-facing consulting or enterprise security engagements