We are seeking an experienced Penetration Tester to conduct comprehensive security assessments of our web applications and cloud infrastructure. This role is critical in ensuring our compliance with ISO27001 and SOC2 standards while identifying and helping remediate security vulnerabilities before they can be exploited.
The ideal candidate will have extensive experience in web application penetration testing, particularly in large-scale environments, and the ability to communicate complex technical findings to both technical and non-technical stakeholders.
Responsibilities
Technical Responsibilities
- Conduct comprehensive penetration tests on web applications, APIs, and cloud infrastructure
- Perform security assessments following OWASP Testing Guide and PTES methodologies
- Identify and exploit vulnerabilities in accordance with the OWASP Top 10
- Execute both automated and manual testing techniques
- Develop proof-of-concept exploits to demonstrate vulnerability impact
- Assess AWS cloud environment security configurations
- Perform post-exploitation activities including privilege escalation and lateral movement
- Validate remediation efforts through retesting
Compliance & Reporting
- Ensure penetration testing meets ISO27001, SOC2, and other compliance requirements
- Produce comprehensive technical reports with CVSS scoring
- Create executive summaries that translate technical risks into business impact
- Provide attestation letters for compliance purposes
Communication & Collaboration
- Present findings to technical teams and management
- Provide clear, actionable remediation guidance
- Collaborate with development teams to understand application architecture
Requirements
Experience
- Minimum 3+ years of hands-on penetration testing experience
- Proven track record of conducting web application penetration tests on large, complex environments
- Demonstrated experience with enterprise-scale assessments
- Prior experience with compliance-driven penetration testing (ISO27001, SOC2, and/or PCI-DSS) is a preferred
Technical Skills
- Expert proficiency with web penetration testing tools including but not limited to:
- Burp Suite Professional
- OWASP ZAP
- Nmap
- Metasploit Framework
- SQLMap
- Custom scripting tools
- Deep understanding of the OWASP Top 10 vulnerabilities and testing methodologies
- Comprehensive knowledge of PTES (Penetration Testing Execution Standard) technical guidelines
- Strong understanding of web technologies: HTTP/HTTPS, REST APIs, JavaScript, SQL, etc.
- Experience with AWS environments including:
- EC2, S3, RDS, Lambda
- IAM policies and roles
- VPC and network security
- AWS-specific attack vectors
- Proficiency in scripting languages (Python, Bash, PowerShell, etc.)
- Knowledge of common web frameworks and their security implications
Professional Certifications (Required)
- Must hold at least ONE medior/senior-level penetration testing certification:
- Note: Junior certifications (CEH, Security+, PenTest+, etc.) alone are NOT sufficient for this role.
Communication Skills
- Excellent technical writing skills in English for detailed pentest reports
- Outstanding non-technical writing abilities for executive summaries and business communications
- Proven ability to translate complex technical vulnerabilities into business risk language
- Strong documentation skills for creating testing methodologies and procedures
Compliance Knowledge
- Understanding of penetration testing requirements within:
- ISO/IEC 27001:2023 framework
- SOC2 Type I/II criteria
- PCI-DSS requirements (preferred)
- Experience providing compliance attestation and evidence
- Knowledge of regulatory requirements affecting security testing
Nice to haves
While not specifically required, tell us if you have any of the following.
- Japanese language proficiency is not required, but is very welcome
- Knowledge of container penetration testing (Docker, Kubernetes)
- Experience with infrastructure as code (Terraform)
- OSWE (Offensive Security Web Expert)
