Penetration Tester – Lead Job Description

Position Summary

Essential Duties and Responsibilities

• Lead enterprise penetration testing and vulnerability assessment activities supporting SBA ECS cybersecurity initiatives.
• Support Task Areas 3.5.4 and 3.5.4.7 by conducting advanced offensive security testing against enterprise systems, applications, cloud environments, networks, and security architectures.
• Plan, coordinate, and execute internal and external penetration testing engagements in accordance with federal cybersecurity standards and approved Rules of Engagement (ROE).
• Conduct application security testing against web applications, APIs, mobile applications, and cloud-hosted systems.
• Perform network penetration testing, exploitation, lateral movement analysis, privilege escalation testing, and post-exploitation activities.
• Execute adversarial emulation and red team exercises to evaluate security controls, monitoring capabilities, and incident response effectiveness.
• Conduct vulnerability validation, exploit research, attack-path analysis, and risk prioritization activities.
• Assess cloud security controls and configurations across Microsoft Azure, AWS, Microsoft 365, SaaS, and hybrid cloud environments.
• Perform wireless security testing, password auditing, authentication testing, and identity management assessments.
• Support phishing assessments, social engineering testing, and security awareness validation activities where authorized.
• Develop detailed technical penetration testing reports, executive summaries, remediation guidance, and risk assessment documentation.
• Provide technical recommendations for remediation of identified vulnerabilities, misconfigurations, and security gaps.
• Validate remediation efforts and conduct follow-up testing to confirm resolution of identified findings.
• Support development and refinement of penetration testing methodologies, procedures, testing standards, and operational playbooks.
• Coordinate with security engineers, SOC analysts, ISSOs, system administrators, cloud engineers, and program managers during testing activities.
• Assist with security architecture reviews, threat modeling, and attack surface analysis activities.
• Use automated and manual testing techniques to identify vulnerabilities and validate exploitability.
• Operate and maintain penetration testing toolsets, attack frameworks, vulnerability scanners, and security testing platforms.
• Support compliance and assessment activities aligned with NIST RMF, NIST SP 800-53, FISMA, FedRAMP, and Zero Trust Architecture requirements.
• Provide technical leadership and mentorship to junior penetration testers and cybersecurity analysts.
• Participate in incident response support, forensic investigations, and threat hunting activities as required.
• Support DevSecOps and secure software development initiatives through application security testing and code review support.
• Ensure all testing activities comply with federal security policies, legal requirements, approved authorizations, and ethical hacking standards.

Minimum Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Engineering, Information Systems, or related discipline. Relevant experience may substitute for degree requirements.
• Minimum of 10 years of experience supporting penetration testing, vulnerability assessments, offensive cybersecurity operations, red teaming, or advanced cybersecurity engineering.
• Extensive experience conducting penetration testing against enterprise networks, web applications, cloud environments, and operating systems.
• Advanced knowledge of offensive security methodologies, exploitation frameworks, attack techniques, and adversarial tactics.
• Experience using penetration testing and security assessment tools such as Metasploit, Burp Suite, Nessus, Nmap, Kali Linux, Cobalt Strike, BloodHound, Wireshark, and related platforms.
• Strong understanding of network protocols, operating systems, identity management, authentication mechanisms, and cloud architectures.
• Experience with scripting or programming languages such as Python, PowerShell, Bash, JavaScript, or Go.
• Knowledge of NIST RMF, NIST SP 800-53, FISMA, FedRAMP, MITRE ATT&CK, and Zero Trust Architecture concepts.
• Experience leading penetration testing teams, coordinating testing engagements, and presenting findings to technical and executive stakeholders.
• Strong analytical, problem-solving, technical writing, and communication skills.
• Experience supporting federal agencies or government cybersecurity environments preferred.

Preferred Certifications

• Offensive Security Certified Professional (OSCP)
• Offensive Security Experienced Penetration Tester (OSEP)
• GIAC Penetration Tester (GPEN)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• Certified Ethical Hacker (CEH)
• Certified Information Systems Security Professional (CISSP)
• CompTIA PenTest+
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Red Team Professional (CRTP)
• AWS Certified Security – Specialty
• Microsoft Certified: Azure Security Engineer Associate