We are building a new Offensive Security Center of Excellence in Vietnam and are looking for senior penetration testers to form the founding team. You will focus primarily on hands-on offensive security engagements, with a strong preference for candidates who have depth in at least two of the following areas: web application and API penetration testing, external network penetration testing, internal network and Active Directory penetration testing, cloud penetration testing and cloud security assessment, mobile application security (iOS/Android), AI/LLM application penetration testing, desktop or thick client application testing, social engineering, red team and adversary simulation.
Key Highlights
Technical Skills Required
Benefits & Perks
Job Description
Senior Penetration Tester
Location
Vietnam (Remote)
Employment type
Full time, permanent
About the role
We are building a new Offensive Security Center of Excellence in Vietnam and are looking for
senior penetration testers to form the founding team.
You will focus primarily on hands on offensive security engagements, with a strong preference
for candidates who have depth in at least two of the following areas:
● Web application and API penetration testing
● External network penetration testing
● Internal network and Active Directory penetration testing
● Cloud penetration testing and cloud security assessment
● Mobile application security (iOS / Android)
● AI / LLM application penetration testing
● Desktop or thick client application testing
● Social engineering
● Red team and adversary simulation
You do not need to be an expert in every area above. Strong expertise in two or more, and solid
familiarity with several others, is exactly what we are looking for.
From time to time, you may also participate in client facing cyber engineering work or internal
security engineering and software development projects, so good programming skills are also
important (we’re a Python and Typescript shop).
This is a senior role with real influence on how we test, build tools, and operate as a global
security team.
Key responsibilities
Penetration testing and red teaming
● Plan and execute manual penetration tests depending on your areas of expertise, but
may include:
○ Web applications and APIs
○ External and internal networks
○ Cloud environments (AWS, Azure, GCP or similar)
○ Mobile or desktop applications, aligned with your strengths
○ AI / LLM applications
● Conduct red team and adversary simulation style engagements where required.
● Perform scoping, threat modeling, and test plan design for complex engagements.
● Identify, exploit, and chain vulnerabilities using industry standard methodologies and
frameworks (for example PTES, NIST 800 115, OWASP Web and API Top 10).
● Produce clear, actionable reports with risk ratings and remediation guidance for both
technical and executive audiences.
● Present and explain findings to customers and internal stakeholders, and support them
through remediation and retest phases.
Tooling, automation, and AI
● Design, build, and maintain internal utilities that make pentesting work more effective
and repeatable, such as:
○ Automation scripts for recon, discovery, triage, and exploitation
○ Helper tools to speed up common tests and evidence collection
○ Integrations with scanners, CI pipelines, and reporting systems
● Experiment with automation and AI to improve test coverage, analysis, and report
quality.
● Where appropriate, contribute tools, scripts, or research back to the broader security
community.
Cyber engineering and internal projects
● When needed, support client facing cyber engineering requirements, such as secure
configuration reviews or implementation support.
● Contribute to internal security engineering or software development projects, working
closely with other engineers and developers.
● Use your programming skills (especially Python and TypeScript) to build robust,
maintainable solutions rather than one off scripts.
Center of Excellence and collaboration
● Help define and continuously improve the processes, standards, and playbooks for the
Vietnam offensive security CoE.
● Mentor and coach less experienced team members as the team grows.
● Collaborate with the US teams in US Eastern time zone.
What you bring
Experience
● 5+ years of hands-on penetration testing or offensive security experience.
● Strong depth in at least two of the following areas:
○ Web application and API penetration testing
○ External and internal network / AD testing
○ Cloud penetration testing and cloud security
○ Mobile or desktop application security
○ AI / LLM application security testing
○ Social engineering and phishing campaigns
○ Red team or adversary emulation operations
● Exposure to several of the other domains listed above, even if they are not your primary
focus.
● Experience working in consulting, services, or product security with direct customer
interaction is a plus.
● Experience using or building AI enabled tools for offensive security or security
automation.
Technical skills
● Strong practical skills with common offensive tools and frameworks, for example:
○ Burp Suite, Nmap, Metasploit, sqlmap
○ Cobalt Strike or comparable C2 frameworks
○ BloodHound and similar tools for AD
● Solid programming and scripting skills, especially:
○ Python and TypeScript
○ Other useful languages such as Go, PowerShell or Bash are a plus
● Hands on experience with at least one major cloud platform (AWS, Azure, or GCP) in an
offensive and defensive context.
● Good understanding of:
○ Web technologies and common vulnerability classes (OWASP Web and API Top 10,
business logic flaws)
○ Network protocols, operating systems, and enterprise infrastructure (AD, LDAP,
Kerberos, VPN, firewalls)
○ Secure software development practices and modern SDLC
Certifications
● Required: OSCP or equivalent technical, hands on certification such as CREST CRT,
GXPN, GPEN, eCPPTv2 or similar.
● Preferred:
○ One or more advanced certifications, for example:
■ OSWE, OSEP, OSED, OSCE3
■ CREST CCT, CRTO, CRTP
■ GMOB, cloud offensive or advanced cloud security certifications
Significant real world experience, a strong portfolio, and demonstrated depth can be considered
in place of some certifications.
Soft skills
● Fluent English is a must for day to day collaboration, technical discussions, and client
presentations.
● Clear written communication, especially for reports and documentation.
● Strong problem solving skills, curiosity, and a mindset geared toward learning new
technologies quickly.
● Ability to work independently in a remote environment, while staying aligned with a
distributed team.
Other nice to have
None of these are required, but they will help you stand out:
● Prior experience leading red team or purple team engagements independently
● Public contributions to the security community, such as open source tools, conference
talks, or technical writing.
What we offer
● Fully remote role within Vietnam, with no mandatory travel.
● Optional opportunities to attend company events or offsites in the United States or
nearby countries.
● The chance to be a founding member of a new Offensive Security Center of Excellence.
● A very strong focus on innovation, automation, and AI in offensive security.
● Support for advanced training, certifications, and conference participation.
● A culture that values autonomy, technical depth, and continuous learning.
● Private health insurance
● Tech (internet) and meal stipend
● 13th month bonus
● Unlimited PTO
● Equipment and software
● Training and certification
Hiring process
2. Practical assessment or take home challenge, such as a focused pentest scenario or
exploit and reporting task.
3. Technical interview focused on your main specialization areas and experience with the
hiring manager
4. Optional interview with engineering leadership
Trava Security is an equal opportunity employer, and we value diversity at our company. We
don’t discriminate based on race, religion, color, national origin, gender, sexual orientation,
age, marital status, veteran status, or disability status.