Senior Web Application Penetration Tester

Job Title – Penetration Tester / Senior Web Application Penetration Tester

Location: 100% Remote

Duration: 12-month contract with potential for extension or conversion based on performance.

Note — no C2C or sponsorship available

Job Overview

Seeking a Senior Web Application Penetration Tester to join a small, high-impact security team responsible for testing ~150 applications per year. This role focuses heavily on manual web and API penetration testing, AWS security fundamentals, and the ability to clearly communicate findings to developers, architects, and InfoSec leadership.

This position requires candidates who can work independently, test beyond scanners, identify complex vulnerabilities, and uphold professionalism and integrity throughout the interview and work process.

Key Responsibilities

• Perform deep manual penetration testing on web and API applications in staging environments.
• Use tools like Burp Suite, Nmap, Metasploit, Nessus, Nuclei, and others for focused, repeatable testing.
• Apply strong understanding of penetration testing methodologies, including reconnaissance, exploitation, validation, and reporting.
• Identify, validate, and prioritize vulnerabilities — including false positive reduction due to heavy automated scanning volumes.
• Communicate with development teams to:
• Define testing scope
• Deliver clear and actionable reports
• Validate remediation steps before closure
• Leverage AI tools (where appropriate) to streamline tasks, improve efficiency, and support analysis.
• Collaborate closely with the Pen Test team, ASM team, and broader InfoSec group.
• Maintain professionalism, honesty, and high integrity in all interactions.

Required Qualifications

Penetration Testing Expertise

• 5+ years of total experience, with 3+ years of hands-on penetration testing, focusing on:
• Manual web application testing
• API testing
• Vulnerability chaining
• Manual validation of scanner findings

Technical Skills

• Strong hands-on experience with Burp Suite (primary tool).
• Real-world use of Nmap, Metasploit, Nessus, Nuclei, and other offensive security tools.
• Solid understanding of OWASP Top 10, common attack vectors, and exploit techniques.
• Familiarity with SAST/DAST/SCA concepts (even if not primary duty).

Cloud Security (AWS strongly preferred)

Candidates must understand core AWS components such as:

• EC2
• Lambda
• IAM basics
• Architectural patterns

Azure experience is acceptable if the candidate can map concepts appropriately to AWS.

AI Competency

• Ability to use AI tools responsibly to improve workflows (not to cheat interviews).
• Open-mindedness to AI-driven efficiency improvements.

Soft Skills

• Strong written and verbal communication.
• Ability to collaborate across InfoSec, ASM, and development teams.
• Clear reasoning and ability to articulate testing processes end-to-end.
• High professionalism and honesty during interviews.

Nice-to-Have Experience

• Exposure to automation platforms like SonarQube, Qualys, or PODE.
• Certifications: OSCP, CEH, CISSP, Security+ (preferred but not required).
• Experience in financial services (not required).