HHS - Penetration Tester

cFocus Software Incorporated•Rockville, MD

2d•Remote

About The Position

cFocus Software seeks a Penetration Tester to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance. Qualifications: Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or related field. Minimum 5–8 years of experience performing penetration testing or offensive security assessments. Hands-on experience testing enterprise networks, applications, and cloud environments. Strong knowledge of attack techniques, exploitation frameworks, and post-exploitation methods. Experience with federal environments and vulnerability management programs preferred. Strong understanding of NIST SP 800-53, NIST SP 800-30, and vulnerability management processes. Excellent analytical, documentation, and communication skills. OSCP, GPEN, CEH, or GXPN preferred. Duties: Plan, execute, and document penetration tests against networks, systems, web applications, APIs, databases, and cloud environments. Conduct internal, external, authenticated, unauthenticated, and adversary-simulation testing activities. Perform exploitation, post-exploitation, and privilege escalation to demonstrate real-world risk. Validate vulnerability scan findings and identify false positives and chained attack paths. Conduct application penetration testing aligned with OWASP Top 10 and NIST guidance. Support red team and purple team exercises in coordination with SOC and Incident Response teams. Analyze attacker techniques using MITRE ATT&CK and document TTPs and attack paths. Develop detailed penetration test reports including executive summaries, risk ratings, and remediation guidance. Provide technical remediation guidance to system owners, engineers, developers, and ISSOs. Validate remediation effectiveness through retesting and evidence review. Support compliance testing requirements related to FISMA, RMF, and continuous monitoring. Maintain strict rules of engagement, authorization documentation, and testing approvals. Ensure testing activities comply with HHS, HRSA, and federal legal and ethical requirements.

Requirements

Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or related field.
Minimum 5–8 years of experience performing penetration testing or offensive security assessments.
Hands-on experience testing enterprise networks, applications, and cloud environments.
Strong knowledge of attack techniques, exploitation frameworks, and post-exploitation methods.
Strong understanding of NIST SP 800-53, NIST SP 800-30, and vulnerability management processes.
Excellent analytical, documentation, and communication skills.

Nice To Haves

Experience with federal environments and vulnerability management programs preferred.
OSCP, GPEN, CEH, or GXPN preferred.

Responsibilities

Plan, execute, and document penetration tests against networks, systems, web applications, APIs, databases, and cloud environments.
Conduct internal, external, authenticated, unauthenticated, and adversary-simulation testing activities.
Perform exploitation, post-exploitation, and privilege escalation to demonstrate real-world risk.
Validate vulnerability scan findings and identify false positives and chained attack paths.
Conduct application penetration testing aligned with OWASP Top 10 and NIST guidance.
Support red team and purple team exercises in coordination with SOC and Incident Response teams.
Analyze attacker techniques using MITRE ATT&CK and document TTPs and attack paths.
Develop detailed penetration test reports including executive summaries, risk ratings, and remediation guidance.
Provide technical remediation guidance to system owners, engineers, developers, and ISSOs.
Validate remediation effectiveness through retesting and evidence review.
Support compliance testing requirements related to FISMA, RMF, and continuous monitoring.
Maintain strict rules of engagement, authorization documentation, and testing approvals.
Ensure testing activities comply with HHS, HRSA, and federal legal and ethical requirements.