Senior AI Penetration Tester (Chicago)

About The Position

Requirements

• 2–4 years of hands-on penetration testing experience, with demonstrated expertise across emerging AI security, network, and application domains.
• Strong scripting and exploit development skills.
• Comfort working with AI-powered tools.
• Ability to communicate complex technical findings clearly and effectively.
• Hands-on AI red-teaming experience covering prompt injection (direct and indirect), jailbreaking, tool-use abuse, insecure output handling, training/context data exfiltration, and model DoS; familiarity with OWASP Top 10 for LLMs and MITRE ATLAS expected.
• Hands-on penetration testing experience across network infrastructure (servers, endpoints, network devices, Active Directory), web applications (OWASP Top 10, API security, manual and automated testing), and AI/LLM-based systems — with a solid grounding in TCP/IP, DNS, HTTP/S, VPNs, and firewalls.
• Strong scripting proficiency in Python, Bash, or PowerShell — able to write custom exploit scripts, develop attack tooling from scratch, and adapt public PoCs — with working knowledge of Metasploit, Burp Suite (including Burp AI extensions), Nmap, Nessus/OpenVAS, BloodHound, Cobalt Strike and other similar tools
• Experience using AI tools (such as Claude, ChatGPT, or similar) for penetration testing activities including reconnaissance, vulnerability analysis, payload crafting, and exploit development.
• Ability to produce clear, well-structured assessment reports that translate findings, risk ratings, and remediation guidance into actionable insights for both technical teams and senior stakeholders.

Nice To Haves

• Experience assessing AI systems and LLM-based applications in enterprise deployments (Claude, ChatGPT, Azure OpenAI Studio, or similar), identifying risks including prompt injection, insecure tool use, MCP server misconfigurations, and risks across agentic orchestration workflows.
• Experience testing AI systems in regulated or data-sensitive environments where material non-public information (MNPI), confidential client data, or similar controlled data classes are in scope.
• Experience with AI agent monitoring/observability platforms and strong working knowledge of the MITRE ATT&CK framework, including staying current with newly published TTPs and actively applying them during engagements to simulate real-world adversary behavior.
• Experience with cloud penetration testing across AWS, Azure, or GCP environments, and/or exposure to container and Kubernetes security assessments.
• Knowledge of secure coding practices and ability to perform basic code review to support application security engagements; familiarity with compliance frameworks such as PCI DSS, DORA, and ISO 27001.
• Certifications such as OSCP, CEH, GPEN, GWAPT; a degree in Computer Science, Cybersecurity, Information Systems, or equivalent practical experience; and/or participation in bug bounty programs or CTF competitions.

Responsibilities

• Conduct security assessments of AI systems and implementations — including AI chatbots, MCP (Model Context Protocol) servers, and enterprise deployments of Claude, ChatGPT, and Azure OpenAI Studio — identifying risks such as prompt injection, model abuse, data exfiltration etc.
• Execute continuous adversarial testing of AI platforms and guardrails to validate controls keep pace with evolving vendor capabilities.
• Plan, scope, and execute penetration testing engagements across network infrastructure (servers, firewalls, endpoints, Active Directory) and perform comprehensive web application security assessments covering OWASP Top 10 vulnerabilities, business logic flaws, authentication weaknesses, and API security issues — following OWASP, and MITRE ATT&CK and other methodologies.
• Leverage AI agents and AI-assisted tooling (such as Claude and ChatGPT) to augment testing workflows and automate reconnaissance, while developing and maintaining custom scripts and exploit code for attack chain automation, payload generation, and post-exploitation tasks.
• Document and communicate assessment outcomes — including findings, risk context, and remediation guidance — clearly for both technical teams and senior stakeholders; collaborate with Vulnerability Management, Application, and Infrastructure teams to ensure findings are handed off with clear remediation ownership.
• Stay current with the latest offensive security research, CVEs, exploitation techniques, and AI security threats; support red team exercises and threat simulation activities; and maintain detailed records of testing activities, methodologies, and evidence per internal documentation standards.

Benefits

• Hybrid Work Environment: 2 to 3 days a week in office required based on your line of business and location
• Dedicated trainings, leadership development and mentorship programs
• Retirement planning, financial wellness and tuition reimbursement programs
• Comprehensive healthcare offerings
• Family-first policies, including a generous global parental leave plan
• Paid volunteer days and support for community engagement initiatives