The Penetration Testing Engineer – Application Security is a mid-level role for a tester who can independently execute penetration tests within a primary domain of expertise.
Engineers are offensive security subject matter experts, conducting full assessments with minimal supervision, contributing to methodology improvements, and acting as a point of contact for clients during engagements.
They are capable of scoping and planning a test in their domain, executing tests, and producing and communicating detailed reports with practical remediation advice.
Mid-level testers act as the technical client focal within engagements, leading technical execution for assigned projects.
Typical experience includes approximately 3–5 years of penetration testing experience, with a track record of completed pen tests and proven competencies.
Domain expertise requires mastery in at least one penetration testing domain, such as Web Application Security, with skills in advanced web vulnerabilities and tools like Burp Suite.
Technical skills include strong practical skills and tool usage, familiarity with various pen testing tools and techniques, and understanding manual testing techniques.
Soft skills involve solid communication and consulting skills, the ability to write thorough technical reports, and improved time management and project coordination skills.
Optional certifications may include OSCP, GWAPT, GPEN, OSWE, which reinforce domain expertise.
Requirements:
Candidates must have 3+ years of hands-on experience in web application penetration testing, with a strong understanding of the OWASP WSTG methodology.
They should apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
Proficiency in using tools like Burp Suite Pro, OWASP ZAP, Postman, and custom scripts to execute and document each step of the WSTG is required.
Candidates must demonstrate proficiency in manual testing and exploit development, including crafted payloads for various vulnerabilities.
Understanding and testing authentication mechanisms, including OAuth, SAML, MFA implementations, and JWT, is essential.
They should perform access control testing across roles and privilege boundaries, identifying privilege escalation opportunities.
Validation of input validation and output encoding to uncover various flaws is necessary.
Candidates must assess session management implementations for potential issues.
Experience in client-side testing using browser dev tools and proxy-based inspection is required.
Understanding API-specific attack surfaces and testing them using dynamic and manual methods is necessary.
Comfort with code-assisted testing (grey-box) when source is available is expected.
Scripting skills in Python, Bash, or JavaScript to automate tasks are required.
Candidates should be able to test across various environments and maintain a methodical process following the OWASP WSTG.
Benefits:
Evolve Security offers a progressive, startup-like culture in a high-growth segment with minimal bureaucracy and rapid impact.
Employees engage in a fast-paced and challenging environment with opportunities to grow their talents.
Immersive cybersecurity and technical training is provided through Evolve Security Academy.
Competitive compensation, healthcare, 401(k) match, and flexible paid time off are included.
The position allows for hybrid/remote work with annual vacation reimbursement and parental leave.
Employees benefit from engaged leadership within the company.