Lead Application Penetration Tester- 4 days onsite Washington D.C.

Lead Application Penetration Tester

As the Lead Security Engineer, you'll serve as both a technical expert and team leader, guiding a group of security testers through comprehensive assessments of a cloud-native, microservices-based environment.

The company is located in Washington D.C. and will be 4 days onsite a week.

What You Will Be Doing:

• Lead and mentor a team of security testers, ensuring consistent delivery of high-quality security assessments.
• Conduct comprehensive technical testing of web and mobile applications, including source code analysis, penetration testing, vulnerability scanning, adversary emulation, and validation of security controls.
• Perform detailed source code reviews and provide expert consulting on identified security findings.
• Implement and maintain both static and dynamic security testing methodologies.
• Integrate automated security testing and monitoring into CI/CD pipelines to enhance continuous assurance.
• Validate security controls across web resources, mobile applications, and associated backend services.
• Document, prioritize, and communicate findings and remediation recommendations to key stakeholders.
• Create clear, detailed reports and presentations tailored for technical and non-technical audiences.
• Apply adversarial tradecraft and cyber threat intelligence to design, emulate, and execute realistic assessments.
• Conduct innovative research and foster a culture of continuous learning and knowledge sharing.
• Design new penetration assessments based on prior findings and evolving client environments.
• Develop or adapt custom tools and processes to address identified needs and improve program effectiveness.

Required Skills & Experience:

• 5+ years of experience in application penetration testing, source code review, or related areas (or 5+ years designing web/mobile apps with at least 3 years in security testing, red teaming, or purple teaming).
• Strong foundation in application, network, and system security principles.
• Proven experience leading security assessments and mentoring technical teams.
• Expertise in static code analysis and testing of web and mobile applications.
• Proficiency in multiple programming languages such as Python, Perl, Ruby, Bash, C/C++, C#, JavaScript, and Java.
• Hands-on experience with security testing tools like Burp Suite Pro and its relevant plugins/extensions.
• Familiarity with DAST/SAST/SCA tools such as Black Duck, Coverity, Datadog, Checkmarx, Fortify, OWASP ZAP, Acunetix, Netsparker, Veracode, PlexTrac, and Burp Suite.

Applicants must be currently authorized to work in the United States on a full-time basis now and in the future.
This position doesn't provide sponsorship.