Senior Penetration Tester

Job Description

Agile Defense is currently seeking Penetration Testers to support an Agency-level Cybersecurity program. The position will join the team of testers that currently conduct ongoing enterprise-level penetration testing.  To support this vital mission, AD staff are on the forefront of providing Advanced Cyber Network Defense Operations support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries. To ensure the integrity, security, and resiliency of critical operations, we are seeking candidates with diverse backgrounds in cyber security systems operations, threat analysis, continuous monitoring, vulnerability assessment, and penetration testing.  Candidates must have strong written and verbal communications skills, researching and analysis skills, and attention to detail. The ideal candidate will have a solid understanding of operating system and application vulnerabilities, exploits, technical report writing, and hands-on experience conducting web application penetration testing.

Corporate duties such as solution/proposal will also be required.  The program is currently operating remotely but will be performed onsite in Alexandria, VA when directed to do so by the customer. 

Position is contingent on successfully completing a program-based background investigation.

Job Duties:

• Conduct web application and API database penetration testing efforts.
• Analyze application workflows, API endpoints, authentication mechanisms, and authorization controls to identify security weaknesses and business logic flaws.
• Coordinate with system owners, developers, and security personnel to communicate findings and support remediation efforts.
• Conduct validation testing of potentially remediated vulnerabilities.
• Draft and review analysis reports resulting from penetration testing.
• Stay current with emerging security threats, vulnerabilities, attack techniques, and mitigation strategies relevant to penetration testing.
• Collaborate with fellow assessment and agency Cybersecurity personnel on enterprise security initiatives and testing operations.
• Analyzes for weaknesses in company systems. Devises tests and scenarios for various penetration tests.
• Documents results and communicates them to engineers and management.
• Provides recommendations for new technologies and system designs according to test results.
• Develops automated testing programs where possible and efficient.

Education and Background

Typically has a bachelor degree, and 4-5 years of experience, or equivalent relevant work experience; e.g., each year of work experience may be substituted for each year of education required.

Years of Experience

4-5 years

Required Skills

• A minimum of 3 years of experience with assessing APT threats, Penetration Testing, Vulnerability Management, attack methodologies, malware analysis, attack surface comprehension, Cyber Threat Emulation operations, Cyber Advanced Threat Emulation Team operations and research, identification, and verification of new APT TTPs.
• Familiarity with API testing methodologies including REST, SOAP, JSON, XML, and authentication/token-based workflows.
• Understanding of OWASP Top 10, API Security Top 10, and common web application attack vectors.
• Experience writing technical security assessment reports and communicating findings to both technical and non-technical stakeholders
• Experience with Kali Linux, Metasploit, Burp suite, and post-exploitation frameworks.
• Knowledge and experience in Penetration Testing, SOC support, and coordination with security teams to strengthen Enterprise security posture.
• Research and remain up to date with emerging threats and Threat Emulation methodologies.
• Able to automate tasks and script at a basic level.
• Familiarity with NIST and FISMA compliance.
• A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.).

Preferred Skills

Desired Qualifications:

One or more certifications for VAT Analysts:  GPEN, GWAPT, GSNA, GMON, GISF, GAWN, GWEB, GXPN, CEH, GNFA, OSCP, OSEE, OSCE, OSWP, CISSP

Experience developing custom exploits and exploitation tools in support of authorized penetration tests or cyber threat emulation exercises.

Experience with analyzing deceptive technologies such as honeynets.

Ability to work with a cyber network defense organization to improve an organization’s detection capabilities.

Expertise in policies, industry trends, techniques related to penetration testing.

Existing Subject Matter Expert of Advanced Persistent Threat or Emerging Threats

Working Conditions

• Remote position

• Happy - Be Infectious. Happiness multiplies and creates a positive and connected environment where motivation and satisfaction have an outsized effect on everything we do.
• Helpful - Be Supportive. Being helpful is the foundation of teamwork, resulting in a supportive atmosphere where collaboration flourishes, and collective success is celebrated.
• Honest - Be Trustworthy. Honesty serves as our compass, ensuring transparent communication and ethical conduct, essential to who we are and the complex domains we support.
• Humble - Be Grounded. Success is not achieved alone, humility ensures a culture of mutual respect, encouraging open communication, and a willingness to learn from one another and take on any task.
• Hungry - Be Eager. Our hunger for excellence drives an insatiable appetite for innovation and continuous improvement, propelling us forward in the face of new and unprecedented challenges.
• Hustle - Be Driven. Hustle is reflected in our relentless work ethic, where we are each committed to going above and beyond to advance the mission and achieve success.