Senior Application Security Analyst (Pentester)

NowSecure

3d•Remote

About The Position

Join Our Mission: To Save the World from Unsafe Mobile Apps! NowSecure is the mobile app security software company trusted by the world’s most demanding organizations and most advanced security teams. As the standards-based mobile app risk management company, NowSecure protects the Mobile App Economy. The world’s most demanding organizations, innovative mobile developers and advanced security, privacy, safety and compliance teams entrust NowSecure to safeguard millions of mobile app users across banking, insurance, high tech, IoT, retail, hospitality, energy and government sectors. Only NowSecure delivers continuous security and compliance with the depth, speed, accuracy, and efficiency to meet modern business demands. Dedicated to the open-source community and standards including OWASP,and NIAP, NowSecure is SOC 2 certified and recognized by IDC, Deloitte, Gartner and TAG Cyber.www.nowsecure.com YOUR OPPORTUNITY We’re looking for a Senior Application Security Analyst — a hands-on pentester who thrives on technical challenges, thinks creatively under pressure, and has an insatiable curiosity for how things work (and how they break). If you’re the kind of person who spins up a quick Python script to automate a test, roots a phone just to see what’s inside, or finds joy in reverse engineering an app at 2 AM — you’ll fit right in. In this role, you’ll hunt vulnerabilities, dissect mobile apps and APIs, and collaborate with a team of world-class testers who live and breathe offensive security. You’ll also help evolve our methodologies, develop new tooling, and contribute to NowSecure’s cutting-edge research across mobile, web, and connected systems. WHAT YOU’LL DO Perform hands-on penetration testing of mobile apps (iOS/Android), APIs, web apps and connected ecosystems (IoT, automotive, medical, wearable). Conduct vulnerability assessments and reverse engineering using tools like Burp Suite, Frida, mitmproxy, Ghidra, Radare2, IDA, or custom scripts. Create clear, actionable technical reports that communicate findings and remediation guidance to both developers and security teams. Act as a trusted advisor to customers, helping them make informed, risk-based decisions about their mobile and app security posture Build or adapt custom scripts, fuzzers, or automation tools to make testing faster, smarter, and more reliable. Collaborate with teammates to refine methodologies, share research, and continuously push the boundaries of mobile and web security testing. Tackle complex problems with creativity; when something doesn’t work, figure out another way. “Scrappy” is a skill set here, not a slogan. WHO YOU ARE You’re a technical problem-solver who thrives on exploration and experimentation. You’re comfortable diving into unfamiliar codebases, debugging network traffic, and learning new tools on the fly. You’re not a button pusher; you’re the kind of tester who asks why something works (or doesn’t) and can pivot quickly when the usual tools fall short. You can translate technical detail into clear communication and enjoy mentoring or collaborating with others. You take ownership, seek out challenges, and are never satisfied with “good enough.”

Requirements

Bachelor’s degree in a technical field or 6–8 years of equivalent security experience.
2+ years of experience in penetration testing or vulnerability assessment of mobile, web, or IoT apps/devices.
Deep understanding of OWASP MASVS / MASTG and app security fundamentals.
Strong experience with intercepting and analyzing traffic using tools like Burp Suite, mitmproxy, ZAP, Charles, or Fiddler.
Proficiency in mobile device rooting/jailbreaking and familiarity with iOS and Android internals, or equivalent hands-on experience in web application penetration testing or firmware reverse engineering.
Strong scripting or development experience (e.g., Python, Java, JavaScript, Ruby, or PowerShell).
Solid grasp of network and web fundamentals — TCP/UDP, HTTP requests, headers, cookies, APIs, and authentication flows.
Excellent technical writing and documentation skills.
Comfort working with Linux, Windows, and macOS environments.
A self-starter mindset - able to work independently, manage multiple projects, and find creative solutions to tough problems.
A demonstrated drive to learn, experiment, and stay on the cutting edge of mobile and appsec trends.

Nice To Haves

Familiarity with DAST/SAST tools, mobile instrumentation (e.g., Frida), and dynamic analysis.
Professional services or consulting experience.
Prior security research or exploit development experience.
Knowledge of system/network security, authentication, and applied cryptography.
Familiarity with Frida, Binary Ninja, Radare2, or IDA Pro.
Experience testing in AWS, Azure, or GCP environments.
Contributions to open-source security projects or published research.
Past public speaking experience (conferences, podcasts, etc)
One or more active certifications such as: Infosec Certified Mobile and Web Application Penetration Tester (CMWAPT) Offensive Security Web Expert (OSWE) Offensive Security Certified Professional (OSCP) GIAC Certified Penetration Tester (GPEN) GIAC Certified Web Application Defender (GWEB) GIAC Web Application Penetration Tester (GWAPT) INE Web Application Penetration Tester eXtreme (eWPTX) GIAC Mobile Device Security Analyst (GMOB) 8kSec Certified Mobile Security Engineer (CMSE) INE Mobile Application Penetration Tester (eMAPT) TCM-SEC Mobile Application Penetration Testing
Experience with LTE / GSM protocols or 5G network analysis.
Prior experience using NowSecure tools.
Master’s degree in Computer Science, Cybersecurity, or related field.

Responsibilities

Perform hands-on penetration testing of mobile apps (iOS/Android), APIs, web apps and connected ecosystems (IoT, automotive, medical, wearable).
Conduct vulnerability assessments and reverse engineering using tools like Burp Suite, Frida, mitmproxy, Ghidra, Radare2, IDA, or custom scripts.
Create clear, actionable technical reports that communicate findings and remediation guidance to both developers and security teams.
Act as a trusted advisor to customers, helping them make informed, risk-based decisions about their mobile and app security posture
Build or adapt custom scripts, fuzzers, or automation tools to make testing faster, smarter, and more reliable.
Collaborate with teammates to refine methodologies, share research, and continuously push the boundaries of mobile and web security testing.
Tackle complex problems with creativity; when something doesn’t work, figure out another way. “Scrappy” is a skill set here, not a slogan.