Security Consultant - Penetration Testing

About The Position

Requirements

• Expertise in planning, executing, and leading penetration tests across networks, web and mobile applications, APIs, wireless, and cloud environments, including scoping, rules of engagement, and debriefs. - Intermediate
• Proficiency with offensive security methodologies and frameworks such as PTES, OWASP (WSTG/MASVS/ASVS), MITRE ATT&CK, and threat modeling to drive risk-based testing. - Intermediate
• Deep hands-on experience with common offensive tooling and techniques, including reconnaissance, enumeration, exploitation, post-exploitation, lateral movement, and data exfiltration, along with strong operational security practices. - Intermediate
• Ability to assess and attack cloud services (AWS, Azure, GCP) including IAM misconfigurations, storage, serverless, container/orchestration, and cloud networking, and communicate cloud-specific remediation guidance. - Intermediate
• Strong web application testing skills including auth flows, access control, injection, deserialization, SSRF, XXE, business logic abuse, and modern app architectures (SPAs, microservices, GraphQL , WebSockets ). - Intermediate
• Working knowledge of Active Directory and Azure AD attack paths ( Kerberoasting , constrained/unconstrained delegation, ACL abuses, LAPS/MAPS, certificate services), and the ability to simulate realistic enterprise attack chains. - Intermediate
• Proficiency with social engineering and phishing engagements, including payload development, infrastructure setup, pretexting, and measurement aligned to customer policies and legal constraints. - Intermediate
• Competence in scripting and automation to accelerate testing and proof-of-concept development using Python, PowerShell, Bash, and basic Go or JavaScript as needed. - Intermediate
• Ability to develop clear exploit proofs-of-concept, reproduce vulnerabilities reliably, and validate fixes; familiarity with exploit development fundamentals is a plus. - Intermediate
• Strong reporting and communication skills, including writing executive summaries and technical reports with reproducible steps, risk ratings, and actionable remediation, and presenting findings to both technical and non-technical stakeholders. - Intermediate
• Experience collaborating in red/purple team exercises, working with blue teams, and translating findings into detection and hardening recommendations (e.g., SIEM detections, EDR tuning, hardening baselines). - Intermediate
• Familiarity with vulnerability management workflows, responsible disclosure practices, and integration of pen test results into remediation programs and retesting cycles. - Intermediate
• Proficiency with productivity and documentation tools such as Word, Excel, PowerPoint, and Outlook to efficiently produce statements of work, test plans, and final reports. - Intermediate
• Completed Bachelor’s Degree in a related field or relevant work experience
• 3–5 years of hands-on penetration testing/red team experience delivering engagements for mid-to-large enterprises, including leading complex assessments.
• Ability to travel to SHI, Partner, Customer events, and on-site testing engagements as needed.
• Demonstrated understanding of legal/ethical considerations, testing authorization, and safe handling of client data.

Nice To Haves

• Advanced industry certifications preferred (e.g., OSCP, OSEP, OSWE, GXPN, GPEN, CRTO, CRTP, PNPT; CISSP or CSSLP a plus).

Responsibilities

• Independently perform penetration testing against complex environments covering both external, internal, web application, and other forms of offensive security engagements.
• Consult and document attack surface, threats, and vulnerability improvements based on team’s overall assessment of client’s environment.
• Perform full assessment and threat modeling against industry best practices to identify control weaknesses and assess the effectiveness of existing controls.
• Perform root cause analysis on identified vulnerabilities and attack surface weaknesses to determine technical solutions to be presented to client along with recommendations for remediations.
• Collaborate with client’s security teams to understand mitigation or resolutions for findings discovered by analysts.
• Review threat intelligence for specific threat vectors that align with client's industry or potentially impacted by to utilize in attack path modeling.
• Assist in defining, measuring, and quantifying business risk and vulnerability impacts to clients their stakeholders.
• Provide subject matter expertise and technical support on remediation, cloud security, governance, compliance, and core infrastructure systems.
• Assist customers with strategies, use of platforms, technical and compliance analysis, and implementing automation.
• Execute consulting projects by creating and completing deliverables, ensuring client needs and practice obligations are met.
• Develop and deliver training content, curricula, and workforce development programs, including in-person and remote sessions.
• Participate in customer and internal meetings, providing technical guidance and facilitating discussions.
• Stay educated on new product technologies, industry trends, and emerging capabilities within the practice.
• Develop and optimize cross practice capabilities, collaborate with peer practice leaders, and mentor other consultants.

Benefits

• Benefits may include, but are not limited to, medical, vision, dental, 401K, and flexible spending.