Penetration Tester (Mobile, API & Application Security)

About The Position

Requirements

• Bachelor’s degree in Engineering or Science, or equivalent work experience.
• Five or more years of experience in information security.
• Two or more years of experience in one or more of the following: IT infrastructure management, Application architecture, Risk management, Data architecture, Middleware technology, IT operations or project management
• Mobile Application Security: 3+ years of hands‑on experience testing Android and/or iOS applications.
• Working knowledge of mobile platform security risks and common weaknesses.
• Familiarity with OWASP MASVS and MASTG.
• Web & API Penetration Testing: Practical understanding of the OWASP Top 10 and OWASP API Security Top 10.
• Experience identifying authentication, authorization, input validation, and business logic vulnerabilities.
• Manual Testing & Tool Usage: Proficiency with Burp Suite (Community or Pro), Postman, or Insomnia.
• Ability to perform manual testing beyond automated scanner output.
• Cloud & Platform Familiarity: Exposure to AWS and/or Azure environments.
• Basic familiarity with cloud‑hosted or containerized application architectures.
• Technical Foundations: Working knowledge of HTTP/S, authentication and authorization (OAuth, JWT), and general networking concepts.
• Experience or familiarity with Python, Bash, or PowerShell scripting is preferred.
• AI & Emerging Technology Security: Familiarity with AI and machine learning security concepts.
• Awareness of common AI‑related risks, including prompt injection, insecure model or API access, and data leakage.
• Understanding of how AI security risks intersect with traditional application and API testing.
• Tooling & Testing Environment: Exposure to tools such as Nmap, Metasploit, and Kali Linux.
• Interest in contributing to light automation or scripting to improve testing efficiency.
• Communication & Documentation: Ability to produce clear, well‑structured written findings and remediation guidance.
• Comfortable discussing security findings with engineers, application owners, and security partners.

Nice To Haves

• Mobile reverse‑engineering fundamentals (e.g., JADX, Frida).
• Source code review familiarity.
• Experience with vulnerability management or tracking tools (e.g., ServiceNow).
• Understanding of secure development and change management concepts.
• Hands‑on experimentation with AI or LLM‑based applications in testing, research, or academic contexts.
• Familiarity with AI security testing, red‑teaming tools, or proof‑of‑concept exercises.
• Understanding of ethical and responsible AI security testing principles.
• GMOB, GWAPT, OSCP, GPEN, or equivalent practical security certifications.

Responsibilities

• Perform penetration testing of mobile (Android and iOS), API, and web applications using manual and tool‑assisted techniques.
• Identify security vulnerabilities and, where appropriate, demonstrate impact through controlled exploitation.
• Document findings clearly, including risk ratings and remediation recommendations, for technical and non‑technical stakeholders.
• Apply established testing methodologies, standards, and playbooks while continuing to build practical exploitation skills.
• Research and apply knowledge of emerging threats, tools, and techniques, including AI and application security risks, during assessments where applicable.
• Participate in security assessments of AI‑enabled applications and services, including systems incorporating machine learning models, APIs, or large language models (LLMs).
• Contribute to team initiatives such as process improvements, internal documentation, tool usage, and knowledge sharing.
• Collaborate with peers and stakeholders during engagements and remediation discussions.

Benefits

• Healthcare (medical, dental, vision)
• Basic term and optional term life insurance
• Short-term and long-term disability
• Pregnancy disability and parental leave
• 401(k) and employer-funded retirement plan
• Paid vacation (from two to five weeks depending on salary grade and tenure)
• Up to 11 paid holiday opportunities
• Adoption assistance
• Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law