Manual Application Penetration Tester (Web & API)

Job Description

Job Title: Manual Application Penetration Tester (Web & API)

Contract Type: Contract

Role Overview We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation.

The ideal candidate can independently execute penetration testing engagements, clearly articulate findings to both technical and non-technical audiences, and guide remediation efforts.

Key Responsibilities - Perform manual application penetration testing of:

- Web applications

- REST & SOAP APIs

- Mobile applications (iOS/Android – nice to have)

- Thick client applications (where applicable)

- Conduct business logic testing, threat modeling, and application architecture reviews

- Identify and exploit vulnerabilities including (but not limited to):

- IDOR / BOLA

- Authentication & authorization flaws

- Session management issues

- Injection flaws (SQLi, XSS, XXE, etc.)

- Logic flaws missed by automated scanners

- Perform objective-based and abstract penetration testing engagements

- Develop and demonstrate proof-of-concept (PoC) exploits

- Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.)

- Present findings via live demos, written reports, and client readouts

- Clearly communicate risks, impact, and remediation guidance

- Work independently with minimal oversight while meeting delivery timelines

Required Qualifications - 5+ years of recent experience in manual application penetration testing

- Strong experience testing:

- Web applications

- APIs (REST / SOAP)

- Hands-on expertise with Burp Suite Pro

- Proven ability to perform manual exploitation (not scanner-only testing)

- Experience communicating results to both technical and non-technical stakeholders

- Ability to lead remediation discussions and retesting efforts

- Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience

Preferred Qualifications - Mobile application penetration testing (iOS / Android)

- Experience with tools such as:

- Netsparker

- OWASP ZAP

- Postman / SoapUI

- Experience with OAuth, JWT, and modern authentication mechanisms

- Ethical hacking certifications (preferred, not required):

- GWAPT

- OSWE

- OSWA

- CREST

Nice-to-Have Experience - Threat modeling frameworks (STRIDE, PASTA, etc.)

- Secure SDLC / DevSecOps exposure

- Client-facing consulting or enterprise security engagements