Senior Security Penetration Tester

Job Description

POSITION OVERVIEW

We are seeking a highly skilled and analytical Senior Security Penetration Tester to join our Cyber Security team. This is not a checklist-based role; we are looking for a dedicated security professional who possesses an adversarial mindset. The successful candidate will go beyond automated scanning to perform deep-dive manual exploitation, identifying complex logic flaws and architectural weaknesses that automated tools often overlook.

• Full-Spectrum Penetration Testing: Execute comprehensive security assessments across diverse environments, including Web Applications, Mobile Platforms (iOS/Android), Cloud Infrastructure (AWS/GCP), and internal corporate networks.
• Deep-Dive API & IAM Analysis: Perform rigorous testing on the backbone of our digital services, focusing on API security, authentication protocols, and Identity & Access Management (IAM) to prevent unauthorized privilege escalation.
• Vulnerability Chaining & Impact Analysis: Correlate disparate vulnerabilities to build comprehensive attack scenarios. Demonstrate the potential business impact of findings through clear, reproducible Proof of Concepts (PoC).
• Strategic Remediation & Reporting: Deliver high-quality technical reports for both technical and executive audiences. Provide actionable, risk-based remediation guidance to development teams to strengthen the organizational security posture.
• Security Research: Stay abreast of the latest threat actor TTPs (Tactics, Techniques, and Procedures) and integrate new exploitation methods into the testing lifecycle.

• Experience: A minimum of 3 years of professional experience in dedicated offensive security or penetration testing roles.
• Web Security Mastery: Expert knowledge of the OWASP Top 10 and advanced exploitation techniques, including Insecure Deserialization, Blind Injections, GraphQL vulnerabilities, and complex business logic flaws.
• Mobile Application Security: Proficiency in both static and dynamic analysis for iOS and Android. Experience with tools such as Frida and MobSF, and a deep understanding of mobile-specific risks and anti-tampering bypasses.
• Cloud Infrastructure Security: Proven experience in auditing and exploiting Cloud environments (AWS or GCP), with a focus on misconfigurations, container security, and cloud-native IAM weaknesses.
• Technical Toolset: Advanced proficiency with Burp Suite Professional. Ability to develop custom scripts and exploit code using Python, Bash, or PowerShell.
• Analytical Mindset: Strong ability to think critically and simulate sophisticated cyber-attacks to identify hidden risks.

• Specialized Domain Knowledge: Previous experience in Game Security (including client/server architecture and anti-cheat systems) is highly regarded.
• Professional Certifications: Holding industry-recognized certifications such as:
• OffSec: OSWE, OSCP, or OSEP.
• HTB/TCM: CWES, CWEE, PWPE, or PMPA.
• Specialized: CMSE (Cloud), ASCP (API), or GIAC (GMOB, GWAPT, GCPN).
• Industry Contributions: Active participation in Bug Bounty programs (HackerOne, Bugcrowd) or a history of discovered and documented CVEs.