Evolve Security is hiring a Penetration Testing Engineer – Application Security. In this mid-level role, you will be an offensive security subject matter expert who can independently execute penetration tests within your primary domain of expertise. You'll conduct full assessments with minimal supervision, contribute to methodology improvements, and serve as a key technical contact for clients.
What You'll Do
- Independently execute penetration tests within your primary domain of expertise.
- Scope, plan, and lead the technical execution for assigned projects.
- Produce detailed technical reports with practical remediation advice, requiring only light review.
- Translate technical findings into clear, actionable recommendations for clients.
- Lead client briefing calls, deliver vulnerability walkthroughs, and handle stakeholder questions.
- Contribute new findings to the team’s knowledge base and to methodology improvements.
- Ensure the accuracy of findings with minimal false positives.
- Handle multiple projects or deadlines with effective time management and coordination.
What We're Looking For
- 3–5 years of penetration testing experience with a track record of completed pen tests.
- 3+ years of hands-on experience in web application penetration testing.
- Mastery in at least one penetration testing domain, with a strong understanding of the OWASP WSTG methodology.
- Ability to apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
- Proficiency in manual testing and exploit development, including crafted payloads for XSS, SQLi, SSRF, IDOR, and CSRF.
- Ability to perform access control testing across roles and privilege boundaries.
- Ability to validate input validation and output encoding to uncover flaws.
- Ability to assess session management implementations for security issues.
- Ability to execute client-side testing using browser dev tools and proxy-based inspection.
- Understanding of API-specific attack surfaces, including REST and GraphQL, and the ability to test them.
- Comfort with code-assisted testing (grey-box) when source is available.
- Ability to leverage scripting skills to automate tasks like recon, fuzzing, or proof-of-concept exploit delivery.
- Ability to test across various environments (cloud-hosted, containerized, monolithic) and understand platform-specific nuances.
- Strong practical skills and comfort with a variety of pen testing tools and techniques.
- Solid communication and consulting skills, with the ability to communicate findings clearly, emphasizing business impact and strategic remediation.
- Deep curiosity and adherence to a methodical process.
Nice to Have
- Relevant certifications such as OSCP, GWAPT, GPEN, or OSWE.
Technical Stack
- Tools: Burp Suite, OWASP ZAP, Postman, Nmap, Nessus, Metasploit, Cobalt Strike
- Scripting: Python, PowerShell, Bash, JavaScript
Benefits & Compensation
- Competitive compensation
- Healthcare coverage
- 401(k) match
- Flexible paid time off
- Hybrid/remote work options
- Annual vacation reimbursement
- Parental leave
- Immersive cybersecurity and technical training through Evolve Security Academy
Work Mode
This role offers a hybrid work model.
Evolve Security is an equal opportunity employer.
