Job Title: Senior Analyst - Penetration Tester

Location: Hybrid (2 days in the office)

Type: Full Time

Role overview

We are looking for a Senior Penetration Tester to lead testing across web applications, APIs, cloud services (Azure, AWS, GCP) and internal environments. You’ll work closely with AppSec, cloud, vulnerability, and threat hunting teams, using Veracode and Burp as core tools and following up with deep manual testing. The role includes occasional planned evening and weekend work for production testing, with comp days so your week still averages ~40 hours / 5 days.

Key responsibilities

• Lead penetration tests for web and API applications, including modern JavaScript apps, WordPress and Apache-based services.
• Use Veracode SAST/DAST and Burp Suite to identify issues, then perform manual testing to uncover logic, authorization, and high-impact vulnerabilities.
• Test Azure, AWS and GCP environments using tools like ScoutSuite, Prowler, Pacu (or similar) to find misconfigurations and escalation paths.
• Assess Active Directory and Azure AD using BloodHound (and similar tools) to identify and validate attack paths.
• Perform security testing of AI/ML/LLM-backed features and integrations to identify data leakage, unsafe integrations and abuse paths.
• Manually retest vulnerabilities—primarily on the external attack surface, with some internal scope—to confirm that remediation is effective.
• Work with threat hunters and detection engineers to simulate attacks and validate that new or updated detections behave as intended and don’t create excessive noise.
• Produce clear reports and explain technical findings, impact and remediation options to both technical and non-technical stakeholders.
• Participate in planned evening and weekend testing windows, with weekdays off in exchange so total time stays within normal full-time hours.

Required experience & skills

• 5+ years of hands-on penetration testing or offensive security experience, including leading complex engagements.
• Strong experience in web and API testing, including OWASP-style issues and business logic/authorization flaws.
• Practical experience with Veracode (or a similar SAST/DAST platform) and advanced use of Burp Suite.
• Experience testing all three major clouds: Azure, AWS, and GCP.
• Hands-on assessment of AD/Azure AD using BloodHound or comparable tooling.
• Experience testing AI/ML/LLM-backed systems or AI-enabled features from a security perspective.
• Comfortable with planned off-hours work (evenings/weekends) when required, with comp days to keep workload reasonable.
• Strong written and verbal communication skills in English.

Preferred qualifications

• Mobile app testing experience (e.g., MobSF, Frida).
• Familiarity with additional AD tools (e.g., PingCastle).
• Experience building custom scripts, PoCs, or exploits (Python, PowerShell, Bash, etc.) to exercise vulnerabilities and test controls.
• Certifications such as OSCP, GPEN, GXPN, CEH or similar.

Working in our international team

• Lead and participate in engagements with stakeholders across multiple regions.
• Heavy use of written communication (tickets, docs, reports).
• Contribute to an environment that encourages sharing research, tooling, and lessons.
• Close collaboration with Vulnerability and Threat Hunting teams.