Job Closed
This listing is no longer active.
Technology enabled cybersecurity services company focused on Pentesting-as-a-Service (PTaaS).
Penetration Testing Engineer – Application Security
Location
United States
Posted
143 days ago
Salary
0
Seniority
Senior
Job Description
Penetration Testing Engineer – Application Security
Evolve Security
• The Penetration Testing Engineer – Application Security is a mid-level role for a tester who has grown beyond the basics and can independently execute penetration tests within a primary domain of expertise. • Engineers are offensive security subject matter experts – conducting full assessments with minimal supervision, contributing to methodology improvements, and acting as a point of contact for clients during engagements. • By this stage, they are capable of scoping and planning a test in their domain, executing tests, and producing and communicating detailed reports with practical remediation advice. • Mid-level testers act as the technical client focal within engagements, leading technical execution for assigned projects.
Job Requirements
- Typical Experience:** ~3–5 years of penetration testing experience, during which they have performed numerous assessments. At this point, they have a track record of completed pen tests and proven competencies.
- Domain Expertise:** Mastery in at least one penetration testing domain. For example, an engineer might be an expert in Web Application Security – adept with advanced web vulnerabilities (beyond OWASP Top 10, including logic flaws, deserialization, etc.), skilled in using Burp Suite for complex testing, and possibly familiar with secure code review.
- Technical Skills:** Strong practical skills and tool usage. Mid-level testers are comfortable with a variety of pen testing tools and techniques. This includes network scanners (Nmap, Nessus), exploitation frameworks (Metasploit, Cobalt Strike), web testing suites (Burp Suite, OWASP ZAP), and scripting/programming to automate tasks or develop custom exploits (common languages include Python, PowerShell, or Bash). Understanding manual testing techniques – for example, crafting customized payloads, bypassing filters, or chaining vulnerabilities. An engineer at this level is often responsible for ensuring the accuracy of findings (minimal false positives) and may contribute new findings to the team’s knowledge base.
- Soft Skills:** Solid communication and consulting skills. By now, the engineer can write thorough technical reports that require only light review, translating technical findings into clear, actionable recommendations. They are also responsive and growing in client-facing abilities, able to lead client briefing calls, deliver vulnerability walkthroughs, and handle questions from stakeholders. Their time management and project coordination skills have improved, enabling them to handle multiple projects or deadlines.
- Certifications (Optional):** Many mid-levels pen testers obtain well-regarded certifications as a by-product of developing their skills. Examples include OSCP, GWAPT (Web Application Testing), GPEN (Network Penetration), OSWE (Web Exploit Developer), etc. These certifications reinforce their domain expertise, but hands-on experience and successful engagements remain the primary proof of competency.
- Expertise that aligns to our approach: **
- Bring 3+ years of hands-on experience in web application penetration testing, with a strong understanding of the OWASP WSTG methodology.
- Apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
- Use tools like Burp Suite Pro, OWASP ZAP, Postman, and custom scripts to execute and document each step of the WSTG.
- Demonstrate proficiency in manual testing and exploit development, including crafted payloads for XSS, SQLi, SSRF, IDOR, CSRF, and more.
- Understand and test authentication mechanisms, including OAuth, SAML, MFA implementations, and JWT.
- Perform access control testing across roles and privilege boundaries (WSTG-ATHZ), identifying vertical and horizontal privilege escalation opportunities.
- Validate input validation and output encoding to uncover XSS, command injection, and template injection flaws.
- Assess session management implementations for issues like weak session ID entropy, insecure cookie flags, or token replay (WSTG-SESS).
- Execute client-side testing using browser dev tools and proxy-based inspection, evaluating DOM-based vulnerabilities and insecure local storage (WSTG-CLNT).
- Understand API-specific attack surfaces, including REST and GraphQL, and test them using a combination of dynamic and manual methods.
- Be comfortable with code-assisted testing (grey-box) when source is available, identifying logic flaws and insecure configurations.
- Leverage scripting skills (Python, Bash, or JavaScript) to automate recon, fuzzing, or proof-of-concept exploit delivery.
- Test across various environments (cloud-hosted, containerized, monolithic) and understand platform-specific nuances.
- Maintain a deep curiosity and adherence to a methodical process, following the OWASP WSTG as a foundational guide.
- Communicate findings clearly, with a strong emphasis on business impact, reproducibility, and strategic remediation.
Benefits
- About Evolve Security **
- Evolve Security is a next generation cybersecurity services firm headquartered in Chicago, IL powered by the Darwin Attack® Platform. We are dedicated to improving our client’s security posture by providing Attack Surface Management (ASM), Vulnerability Management as a Service (VMaaS), Continuous Penetration Testing (CPT) and cyber advisory.
- In addition to our professional cybersecurity service offerings, Evolve Security offers a cybersecurity bootcamp, “Evolve Academy”, currently ranked the #1 cybersecurity bootcamp in the world. The Cybersecurity Bootcamp in Chicago provides immersive training, giving students the concrete and practical skills, needed on the job. Students gain real work experience through live security assessment work that they perform on not-for-profit companies.
- We are passionate about directly improving our customers’ security posture, and we proudly train others to help meet the need for qualified cybersecurity talent.
- Why Join Evolve Security? **
- Progressive, startup-like culture in a high-growth segment—minimal bureaucracy, rapid impact.
- Engage in a fast-paced and challenging environment with opportunity to grow your talents.
- Immersive cybersecurity and technical training through Evolve Security Academy.
- Competitive compensation, healthcare, 401(k) match, and flexible paid time off.
- Hybrid/remote work with annual vacation reimbursement and parental leave.
- Engaged leadership.
Related Guides
Related Categories
Related Job Pages
More QA Engineer Jobs
• Design and execute quality strategies for AI features end-to-end • Build and maintain automation using Playwright/Selenium • Develop Python/TypeScript-based tools for data, model, and API validation
QA Engineer
BlockstreamBlockstream works to pioneer infrastructure advancements for blockchain technology, with a goal to accelerate and support innovation in financial technology. Th
• Develop and execute: test plans, test cases, and test scripts for blockchain-based applications and APIs. • Design, implement, and maintain automated testing frameworks for functional, performance, and security testing. • Conduct manual and automate testing of transactions, wallets, payment systems, and decentralized applications. • Identity, document, and track defects using bug-tracking tools (e.g. Jira, GitHub). • Collaborate with developers to conduct feature reviews and ensure testability of new features. • Perform security testing to detect vulnerabilities in products. • Work closely with DevOps to integrate testing into CI/CD pipelines, and optimize test execution in cloud-based environments. • Conduct regression testing and maintain a robust suite of automated tests to prevent system failures. • Research and implement test practices for blockchain and fintech QA methodologies.
Senior Quality Engineer
Caribou FinancialCaribou Financial is dedicated to empowering drivers to take control of their auto finances, save money, and achieve greater financial flexibility by simplifyin
• Guide framework decisions: Choose and standardize testing tools (RSpec over Minitest, Jest over Mocha) and lead architectural adoption across the platform • Build enablement infrastructure: Design factory patterns, data seeds, and service stubs enabling sophisticated testing in inner development loops without full integration • Define quality standards together: Establish coverage thresholds, test suite structures for product types, and boundary metrics giving teams clear targets • Optimize delivery pipelines: Integrate quality gates into CI/CD, balance performance and reliability, and analyze data to eliminate shipping bottlenecks • Mentor and share best practices: Collaborate with teams on avoiding flaky tests, designing testable code, and building robust automated coverage • Enable data-informed improvements: Analyze quality metrics (flaky tests, incidents, DORA) to identify systemic issues and facilitate process improvements
Data QA Engineer
DreamixBespoke software development company that provides custom end-to-end product development following the highest standards
• Validate end-to-end data pipelines from source systems to data marts. • Test batch data loads. • Validate transformations, aggregations, and derived metrics. • Ensure data completeness, accuracy, and consistency across layers. • Understanding of data governance, privacy, and PII handling • Write complex SQL queries to validate fact and dimension tables in Redshift. • Validate data models (fact/dimension, keys, relationships) • Perform reconciliation between raw, curated, and reporting layers. • Validate business KPIs and metrics against source systems and definitions. • Validate data ingestion in S3 (file counts, schema, partitions, formats) • Review Glue job and Lambda execution logs to troubleshoot data issues. • Monitor pipeline health, failures, and data refresh SLAs.
