• Work with different product and IT infrastructure teams to comprehend the business and develop the knowledge required to perform job duties and responsibilities.
• Document and formally report testing initiatives, along with remediation recommendations and validation.
• Conduct tactical assessments that require expertise in social engineering, application security (web and mobile), physical methods, lateral movement, threat analysis, internal and external network architecture, and a wide array of commercial and bring-your-own (BYO) products.
• Conduct discovery and vulnerability assessment of enterprise-wide assets.
• Manage vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets.
• Develop and maintain tools and scripts used in penetration-testing, vulnerability management, and red team processes.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging.
• Work closely with the security operations center (SOC) to leverage intelligence sources, identify new threats in the wild and verify the organization's security posture against them.
• Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities.
• Regularly research and learn new TTPs using a variety of sources, and work with teammates to assess risk and implement and validate controls as necessary.
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of compromise or information leakage.
• Occasionally attend and participate in change management policy discussions and meetings.
• Understand breach and attack simulation solutions and work with the team to validate controls effectiveness.
• Maintain and track third-party assets, their vulnerability state, remediation recommendations, overall security posture and potential threat to the business.
• Perform other duties as assigned.

• At least 5-7+ years' experience in information security administration, offensive tactics, monitoring and IR.
• Proficient in scripting languages such as Python, PowerShell, Bash and Ruby.
• Competent with testing frameworks and tools such as Burp Suite, Metasploit, Cobalt Strike, Kali Linux, Nessus, PowerShell Empire and AutoSploit.
• Experience conducting penetration-testing/red team engagements as a consultant or within a previous role in a professional organization.
• Strong operating system knowledge across *nix, Windows, and Mac; proficient with networking protocols.
• Familiarity with defensive and monitoring technologies such intrusion prevention/detection systems (IPS/IDS), security information and event management systems (SIEMs), firewalls, endpoint protection (EPP) and endpoint detection/response (EDR) tools, as well as user and entity behavior analytics (UEBA).
• Understanding of OWASP, the MITRE Telecommunication&CK framework and the software development lifecycle (SDLC).

Experience:

• Bachelor's degree in computer science (preferred), information assurance, MIS or related field, or equivalent.
• 5-8 years of related experience required.
• Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well.
• Self-starter requiring minimal supervision.
• Excellence in communicating business risk and remediation requirements from assessments.
• Analytical and problem-solving mindset.
• Highly organized and efficient.
• About certifications, preferably, one or more of the following: OSCP, OSCE, GPEN, GWAPT, CISSP.