How you'll be impactful:

We are looking for a Penetration Tester who would perform various levels of testing on our Mobile &web apps, APIs, internal & external networks and cloud services to understand the risk exposure of our organization and help mitigate them. This begins with understanding our infrastructure andapplications, setting a clear testing methodology, selection of right tools, craft testing protocols andsetting up execution plans. Once the tests are complete, reports need to be created with detailedremediation plans with target dates. The remediation plan needs to be diligently executed and keep stakeholders accountable for remediation.

This role will be required to be in our San Francisco office 2x/week (Tuesdays & Wednesdays).

What you'll be doing:

• You will be primarily working with the stakeholders from different business units in gaining knowledge about their applications.
• Review testing scope: Start by reviewing the scope of the application that needs to betested. This includes understanding the target system's purpose, scope of the test (what's inbounds), and any Business unit specific concerns.
• Gather Information (Recon): Simulating an attacker, you'll gather information about thetarget system through open-source intelligence (OSINT) techniques. This might involvesearching for publicly available details online or network reconnaissance.
• Plan and Strategize: Based on the gathered intel, you will need to strategize by choosing specific tools and techniques tailored to the target system's vulnerabilities.
• Run Vulnerability Scans: Specialized tools are used to scan the target system forweaknesses in software, configuration issues, or misconfigured systems.
• Analyze Scan Results: You will meticulously analyze the scan results to identify potentialvulnerabilities that require further exploration.
• Exploit Identified Vulnerabilities: Using your expertise and tools, attempt to exploit theidentified vulnerabilities to gain unauthorized access, mimicking a real cyberattack.
• Conduct Post-Exploitation Assessment: Once access is gained, you will explore how far youcan penetrate the system and the potential damage that could be caused in a real attackscenario.
• Document Findings: Throughout the process, detailed notes are taken. After testing iscomplete, these notes are compiled into a comprehensive report outlining discoveredvulnerabilities, exploitation steps, and potential impact.
• Recommend Remediation Strategies: Create recommendations for fixing the vulnerabilitiesand improving the overall security posture of the system.

What you'll need to be successful:

• At least 2+ years of experience in penetration testing various web/mobile applications andnetworks
• 3+ years of experience in Cyber Security and has an understanding of security controls andprotocols
• Solid understanding of Network protocols and configurations
• Experience with threat modeling concepts and frameworks (CVSS, MITRE ATT&CK, DREAD,etc)
• Ability to understand the threat landscape and customize testing related to our environment
• Experience working on hybrid infrastructure platforms (on-prem, Azure, GCP, AWS)
• Apply OWASP's methodology to web application penetration tests to ensure they are consistent, reproducible, rigorous, and under quality control
• Deep understanding of mobile applications and their security configurations
• Analyze the results from web testing tools to validate findings, determine their businessimpact, and eliminate false positives
• Manually discover key web application flaws
• Experience in using external resources like KVE's to look for active exploits in the wild andprioritize relevant key findings
• Develop and deliver high quality reports from the testing that outlines remediationmeasures

Preferred qualifications

• Bachelor's Degree in Computer science, Information Technology, Information Systems, or
  equivalent
• Certifications like GPEN, GWAPT, SCP, OSWP, OSWA, eCPPT, etc