Application Pen Tester (W2)

Title: Application Pen Tester

Duration: 12-month

Location: Charlotte NC/Hybrid

Visa: USC

W2 Role

Other locations: Dallas, Minneapolis, Chandler, Des Moines, Columbus, Raleigh, San Antonio

Client is seeking an Application Pen Tester to identify, validate, and exploit security vulnerabilities through hands-on, manual testing across a broad range of application technologies. Browser-based/web and API testing are required , along with experience in one or more of the following: mobile, mainframe, or thick client testing. Successful candidates will have demonstrable , real-world manual penetration testing experience and be comfortable going beyond automated scanner output to reproduce, validate, and investigate findings. Success in this role means delivering high-confidence, reproducible vulnerabilities with clear evidence and practical remediation guidance, and partnering with application teams to drive timely fixes.

In this role, you will:

- Conduct application penetration testing across browser-based/web applications, APIs, and mobile applications (and where applicable mainframe and thick client applications) using primarily manual techniques supplemented by automated tools; include authentication/authorization testing and business-logic abuse cases where applicable

- Configure and tune automated tools to support testing, improve coverage, and accelerate discovery (as a complement to manual testing)

- Perform deep defect analysis by reproducing, validating, and safely demonstrating impact (including chained attack paths when applicable); triage and disposition false positives from automated tooling

- Produce clear, reproducible technical reports with evidence (steps to reproduce, impacted components/endpoints, and risk/impact) and practical remediation guidance

- Collaborate with application and security teams to ensure shared understanding of defects, prioritization, and remediation paths; support defect walkthroughs and follow-up questions as needed

- Support continuous improvement of testing methodologies and processes leveraging industry standards and best practices

- Collaborate with other members of the team to share knowledge and complete peer reviews of reports

- Communicate findings and risk clearly to technical and non-technical stakeholders, support readouts, status updates, and remediation Q&A

Required Qualifications:

- 2+ years of Cybersecurity Research experience, or equivalent demonstrated through one or a combination of the following: work experience, training, military experience, education

- 2+ years of hands-on application penetration testing experience (manual testing required), beyond reviewing/validating automated scanner results

- 2+ years of Dynamic Application Security Testing (DAST) experience, including tool configuration/tuning and manual verification of findings

Desired Qualifications:

- Advanced experience with testing tools such as Burp Suite, Invicti, WebInspect, and Fiddler (and applying them to web, API, mobile, and thick client testing as applicable)

- Strong knowledge of application security and common vulnerabilities (OWASP Top 10)

- Experience with scripting and automation (e.g., Python, Shell)

- Knowledge of security best practices and compliance standards (e.g., PCI DSS, GDPR)

- Excellent communication skills and the ability to collaborate effectively with cross-functional teams

- Strong problem-solving and analytical skills

- Demonstrated knowledge of AI/ML-enabled applications and common security risks (for example, prompt injection, sensitive data exposure, and insecure integrations)

- Security certifications such as OSCP, BSCP, GWAPT, GPEN, GXPN or equivalent are a plus

Thanks & Regards.

Aviral Sapra

Voto Consulting LLC

Direct #: