Penetration Tester - Federal Agency

Dragonfli Group is a cybersecurity and IT consulting firm providing services to federal agencies and Fortune 100 enterprises. Headquartered in Washington, DC, Dragonfli supports clients in securing mission-critical systems across on-site, hybrid, and fully remote environments.

Role Summary

As a Penetration Tester, you will be responsible for evaluating the security of a large federal agency’s applications, networks, cloud environments, and supporting infrastructure. This role focuses on hands-on manual testing and controlled exploitation to identify and help remediate vulnerabilities. The ideal candidate will possess at least 3–5 years of experience in offensive security, with a deep proficiency in manual application testing and vulnerability validation across on-prem and cloud assets.

This is a multi-year contract position involving a large US federal agency. Candidates with previous federal contracting experience are preferred. U.S. Citizenship or Permanent Residency is required. If hired, all work related to this role must be performed within the continental U.S.

Key Responsibilities

• Engagement Scoping & Planning: Partner with stakeholders to define objectives, rules of engagement, and success criteria to ensure safe execution.
• Reconnaissance & Enumeration: Perform passive and active discovery of attack surfaces, services, and APIs to map trust boundaries.

Searching for QA & Testing roles that provide visa sponsorship? Connect with international employers through QA & Testing Jobs with Visa Sponsorship opportunities actively seeking talented professionals.

• Manual Application Testing: Conduct deep testing of web and mobile apps aligned with OWASP Top 10 and common design flaws.
• Vulnerability Validation: Safely verify findings such as XSS, SQLi, CSRF, SSRF, and broken access control to demonstrate real-world impact.
• Network & Infrastructure Testing: Identify weaknesses in exposed services, insecure protocols, and misconfigurations across hybrid environments.
• Post-Exploitation Analysis: Assess blast radius, lateral movement paths, and persistence risks while minimizing operational impact.
• Reporting & Remediation: Deliver clear technical reports with reproduction steps and prioritized fixes for both engineers and leadership.

Requirements:

Must-Have Qualifications

• Strong understanding of web application security and modern attack techniques.

Explore our comprehensive directory of visa sponsorship jobs from employers worldwide who are ready to sponsor talented international professionals.

• Demonstrated ability to distinguish false positives from exploitable issues.
• Proven experience documenting evidence and providing pragmatic remediation guidance.
• Ability to operate within strict rules of engagement and ethical safety constraints.
• U.S. Citizenship or Permanent Residency (Green Card).

Desired/Preferred Qualifications

• Previous experience supporting federal contracting environments.
• Experience with mobile (Android/iOS) or cloud penetration testing (AWS/Azure/GCP).
• Experience with CI/CD and supply chain security testing.

Interested in opportunities specifically in United State? Discover our dedicated Visa Sponsorship Jobs in United State page featuring roles from top employers in this location.

• Familiarity with modern app architectures like microservices and containers.

Skill(s):

• Offensive Tools: Burp Suite, Nmap, Metasploit.
• Scripting/Automation: Python, PowerShell, or Bash for lightweight proof-of-concepts.
• Security Frameworks: OWASP Top 10, OWASP ASVS.
• Authentication Patterns: OAuth 2.0, OpenID Connect, SAML.
• API Paradigms: REST, GraphQL.
• Relevant Certifications: OSCP, GWAPT, GPEN, PNPT (or equivalent).