We’re looking for a Security Consultant/Penetration Tester who actually knows how to break things. Not someone who just lists tools on their resume, but someone who’s spent real time in the trenches doing penetration testing work. This is a hands-on role where you’ll be assessing security across diverse client environments.
Key Responsibilities
– Security Assessments
You’ll conduct comprehensive security assessments across multiple domains:
- Web application, API, mobile application, and thick client penetration testing
- Network penetration testing (internal, external, wireless)
- Cloud security configuration reviews (AWS, Azure, GCP, M365)
- Source code security reviews and analysis
- Infrastructure and network device configuration assessment
About 60% of your time will be actual testing work. The other 40% involves documentation, reporting, client coordination, and the occasional VPN troubleshooting session with clients. We won’t pretend this is all exciting red team operations and zero-days. Most of it is solid, honest assessment work.
– Documentation & Reporting
This is where most pentesters struggle, so let’s be clear: you’ll write reports. Many reports. Clients don’t pay for screenshots of reverse shells, they pay for clear, actionable documentation that explains what’s broken and why it matters.
Your reports need to translate technical vulnerabilities into business risk. If your findings all look copy-pasted or say “XSS found, fix it” with no context, we’re all going to have a bad time.
– Client Engagement
- Participate in kickoff calls and provide regular status updates
- Communicate technical findings to both technical teams and business stakeholders
- Serve as technical point of contact during engagements
- Present findings through common presentation and video conferencing tools
– Methodology & Process
- Follow established testing methodologies while adapting to client environments
- Contribute to internal knowledge base and methodology documentation
- Develop scripts and tools to improve assessment efficiency
- Stay current with emerging vulnerabilities and attack techniques
What We’re Looking For
– Experience
Minimum 2 years in penetration testing or security assessments. Real client engagements, real reports, real deadlines. Not just “I did HackTheBox for a year” (though that’s a good foundation). You should be comfortable independently handling standard assessments while knowing when to escalate complex scenarios.
Prior experience in a consulting or professional services environment is strongly preferred. You understand project-based delivery and client management.
– Technical Skills
You should be comfortable with manual penetration testing techniques across web applications, networks, APIs, mobile platforms, and cloud environments. Specifically:
- Standard offensive security tools: Burp Suite, Nmap, Metasploit, Wireshark, SQLMap, Nikto, Nessus, OWASP ZAP
- Command line proficiency (Linux/Windows)
- Understanding of common vulnerability classes beyond just the OWASP Top 10
- Can find SQLi manually, not just with automated tools
- Cloud platform security (AWS, Azure, GCP, M365) basics
– Scripting & Automation
Can you write a Python script that does something useful? Can you automate a boring task? Can you modify an exploit that’s almost-but-not-quite working?
You don’t need to be a software engineer, but you should be comfortable with Python and Bash scripting. If you can’t script your way out of a paper bag, this role will be painful.
– Certifications
Not strictly required, but they help. Ones we respect:
- OSCP – The gold standard. If you have this, say it loudly.
- PNPT, CPTS, CWEE, eCPPT, eWPTX, eJPT – Solid practical certifications
- CRTO, CRTP, CRTE, OSEP – Red team and Active Directory focused
- CEH – We’ll accept it, but we’ll also gently roast you
- GPEN, GWAPT, GXPN – Nice to have
- CompTIA PenTest+ – Sure, why not
No cert? That’s fine if your practical skills back it up. But if you have neither certifications nor demonstrable experience, this isn’t an entry-level role.
– Frameworks & Standards
Working knowledge of security testing methodologies and compliance frameworks:
- OWASP Testing Guide, PTES, MITRE ATT&CK
- NIST CSF, CIS Controls
- Relevant compliance standards (ISO 27001, PCI DSS, SOC 2, HIPAA, GDPR)
– Communication Skills
- Excellent written and verbal communication in English
- Ability to write clear, actionable reports
- Can explain technical concepts to non-technical audiences
- Comfortable with client-facing discussions
– The Right Mindset
- You read security writeups for fun
- You’ve stayed up too late on a CTF at least once
- You Google weird error messages because you actually want to know what they mean
- You’re genuinely curious about how things break
- You can work independently but also collaborate effectively with a team
What We’re Not Looking For
- “I know Kali Linux” – So does everyone. What did you actually do with it?
- Copy-paste report writers – If all your findings look identical, we’ll notice
- Certification collectors – 12 certs with no practical skills? Pass.
- Lone wolves who can’t collaborate – You’ll work with a team
- People who peaked at CTFs – Great foundation, but client work is different
What We Offer
- Competitive compensation with performance-based considerations
- Certification support – We’ll pay for training and certifications. Want your OSCP? It’s on us.
- Mentorship from senior staff who’ll actually help you grow
- Diverse client portfolio – Different industries, different tech stacks, you won’t be bored
- No micromanagement – We care about output, not tracking your mouse movements
- Clear career progression – There’s a defined path to senior roles
- Flexible work arrangements – Get your work done, and we’re good
- Continuous learning opportunities – Exposure to challenging engagements
How To Apply
Send us:
- Your resume (PDF format)
- A few sentences about an interesting finding you made or a memorable assessment you worked on
- Optional: Links to your blog, GitHub, CTF profiles, or anything else that shows you’re genuinely into security
Don’t send:
- A cover letter that starts with “I am writing to express my interest…”
- A 47-page resume listing every technology ever invented
- Lies or exaggerations – We’ll figure it out