Penetration Tester - Offensive Security

About The Position

Requirements

• 4+ years of professional penetration testing or red team experience, ideally in a consulting, MSSP, or in-house offensive security team
• Demonstrated success working directly with clients - strong communication, professionalism, and stakeholder management skills
• Deep working knowledge of network, web application, and Active Directory attack paths (Kerberoasting, AS-REP roasting, NTLM relay, ADCS abuse, BloodHound-driven pathing)
• Hands-on proficiency with offensive tooling: Burp Suite Pro, Nmap, Nessus / Nuclei, Metasploit, Cobalt Strike, Sliver, Mythic, Impacket, BloodHound, CrackMapExec / NetExec, Responder, Mimikatz, and modern C2 frameworks
• Strong scripting skills in Python, PowerShell, and Bash; comfort reading and modifying C#, Go, or Rust tooling
• Experience evading or bypassing EDR (Defender, CrowdStrike, SentinelOne), AMSI, and modern Windows defenses
• Familiarity with cloud attack paths in Azure / Entra ID (Pass-the-PRT, illicit consent grants, managed identity abuse) and AWS (IAM privilege escalation, metadata service abuse)
• Solid grasp of ZTNA and identity-aware perimeters (e.g., Cloudflare Access, Zscaler, Entra Conditional Access) and how they reshape attacker tradecraft
• Comfort emulating adversary TTPs mapped to MITRE ATT&CK and known threat-actor playbooks
• Familiarity with testing standards: PTES, OWASP WSTG / MASTG / ASVS, NIST SP 800-115, OSSTMM
• Awareness of compliance contexts that frame client expectations: PCI DSS, SOC 2, NIST 800-171 / CMMC, CPCSC, ITSG-33, ISO 27001:2022
• Demonstrated ability to perform under pressure - calm, methodical, and ethical when engagements surface sensitive findings
• Willingness and availability to work odd hours and extended shifts when supporting time-boxed red team windows, after-hours testing, or rapid-response offensive support during active IR matters
• Comfort working across multiple client environments, tooling stacks, and rules-of-engagement simultaneously
• Eligibility for Government of Canada security clearance (Secret or higher); existing clearance highly valued; or controlled-goods registration considered an asset

Nice To Haves

• Certifications such as OSCP, OSEP, OSWE, OSCE3, CRTO, CRTL, GPEN, GXPN, GWAPT, GMOB, GCSA / GPCS / GCLD (cloud), AWS Certified Security – Specialty, Microsoft SC-100 / AZ-500 strongly preferred; OSCP or equivalent practical certification (e.g., CRTO, HTB CPTS, PNPT) is a baseline expectation
• Bilingualism (English/French) considered a strong asset

Responsibilities

• Plan, scope, and execute penetration tests across external, internal, web application, API, mobile, cloud (Azure / AWS / GCP), wireless, and Active Directory targets
• Conduct red team and adversary emulation engagements aligned to MITRE ATT&CK, executing realistic TTPs against client environments
• Perform assumed-breach assessments, internal pivoting, privilege escalation, and lateral movement exercises
• Support purple team exercises in partnership with client SOC and Malleum's IR practice to improve detection and response
• Execute social engineering campaigns (phishing, vishing, physical) where contracted, with rigorous rules of engagement
• Conduct cloud configuration reviews against CIS Benchmarks, CSA CCM, and provider-specific baselines
• Support OT / ICS / SCADA security testing for defense and critical-infrastructure clients (with appropriate safety controls)
• Develop custom tooling, scripts, and payloads (PowerShell, Python, C#, Go) to evade modern EDR and ZTNA controls during sanctioned engagements
• Produce high-quality client deliverables: executive summaries, technical findings, reproduction steps, evidence, CVSS-scored risk ratings, and pragmatic remediation guidance
• Deliver findings briefings to client stakeholders — from engineers to executive leadership and boards - with clarity and professionalism
• Contribute to scoping, estimation, statements of work, and continuous improvement of Malleum's offensive security service offerings
• Maintain meticulous engagement hygiene: rules of engagement, scope control, evidence handling, and safe-listing coordination
• Participate in research, internal tooling development, CTFs, and conference contributions to grow Malleum's offensive capability and brand

Benefits

• Competitive compensation
• Performance incentives
• Comprehensive benefits
• Dedicated research time
• Lab budget
• Support for conference talks, CVE research, and open-source contributions
• Continuous learning budget
• Certification sponsorship (OSCP, OSEP, OSWE, CRTL, SANS)
• Clear paths into senior red team, exploit development, or offensive research specializations