Security Engineer – Penetration Testing

Job Description: - Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure.

- Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives.

- Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM).

- Perform social engineering assessments, including phishing simulations and physical security testing as authorized.

- Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences.

- Support red team exercises and adversary simulation activities to test detection and response capabilities.

- Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management.

- Design and implement security controls across ISC2’s cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD.

- Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements.

Requirements: - Proficiency with penetration testing tools including Burp Suite, Metasploit, Nmap, Nessus, Cobalt Strike, and similar offensive frameworks.

- Strong understanding of web application vulnerabilities (OWASP Top 10), network protocols, Active Directory attack paths, and cloud security (Azure, AWS, GCP).

- Effective written and verbal communication with cross-functional teams is essential.

- Scripting and automation proficiency in Python, Bash, or PowerShell; ability to write or modify exploit code as well as defensive tooling.

- Familiarity with MITRE ATT&CK, CVSS, CVE, NIST SP 800-115, and the CIS Benchmarks for secure configuration baselines.

- Posess AI literacy and ability to test Ai workloads and infrastructures.

- Relevant certifications strongly preferred: OSCP, GPEN or GWAPT, plus one engineering/architecture credential (CISSP, CSSLP, or equivalent).

- ISC2 membership or certifications (CISSP, CC) are a plus and demonstrate alignment with ISC2’s mission.

Benefits: - Health insurance

- Paid time off

- Professional development opportunities