Penetration Testing Engineer

Job Summary –

Cybersecurity Penetration Testing Engineer – Application & API Security

Location – preferably in Charlotte, NC

Must have - Expertise in Burp Suite, API testing and Penetration Testing

Job Summary –

The Penetration Testing Engineer
will be responsible for conducting in-depth
web application, mobile application, and API security testing
across business-critical platforms.

The role requires
hands-on expertise in Burp Suite
, deep understanding of
offensive security methodologies
, and the ability to identify, exploit, and document security vulnerabilities.

The engineer will work closely with development, DevSecOps, and risk teams to
ensure secure SDLC practices
and support remediation of discovered vulnerabilities.

Years of experience needed –
5–8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test

Key Responsibilities:

1. Penetration Testing & Vulnerability Assessment

• Perform
  manual and automated penetration testing
  on web, mobile, and API endpoints.
• Use
  Burp Suite Professional
  extensively for intercepting, modifying, and exploiting HTTP/S traffic.
• Conduct
  source code-assisted testing
  when applicable to identify deeper logic flaws.
• Simulate real-world attack scenarios using
  OWASP Top 10, SANS 25, and API Security Top 10
  frameworks.
• Identify authentication, authorization, session management, and input validation flaws.

2. API Security Testing

• Perform
  REST and GraphQL API penetration testing
  , including JWT, OAuth, and token manipulation.
• Validate
  business logic vulnerabilities
  and parameter tampering across microservices.
• Use tools such as
  Postman, Burp Suite, and OWASP ZAP
  for fuzzing, interception, and payload injection.
• Validate API schema misconfigurations, rate limiting, and data exposure issues.

3. Offensive Security & Exploitation

• Execute
  custom payloads and exploits
  to demonstrate risk severity to stakeholders.
• Develop
  proof-of-concept (PoC)
  exploits to validate identified vulnerabilities.
• Emulate attacker tactics, techniques, and procedures (TTPs) from
  MITRE ATT&CK
  and
  CWE
  references.
• Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization.

4. Reporting & Remediation Support

• Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations.
• Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes.
• Participate in
  vulnerability triage
  and
  retesting
  post-remediation.
• Present reports to technical and management stakeholders in clear, risk-prioritized language.

5. Security Process & Continuous Improvement

• Integrate testing results into
  CI/CD pipelines
  where possible (DevSecOps enablement).
• Contribute to
  secure coding guidelines
  and training sessions for developers.
• Evaluate emerging attack trends, new CVEs, and offensive security tools to keep the testing framework current.
• Assist in developing internal scripts, extensions, or automation workflows for testing efficiency.

Technical Skills

Core Tools & Techniques

• Burp Suite Professional
  – expert-level usage (Intruder, Repeater, Decoder, Extender).
• Familiarity with
  OWASP ZAP
  ,
  Nmap
  ,
  Metasploit
  ,
  SQLmap
  ,
  DirBuster
  ,
  Hydra
  , and
  Ffuf
  .
• Deep understanding of
  OWASP Top 10
  (Web & API) and
  CWE Top 25
  vulnerabilities.
• Strong ability to identify and exploit
  logic-based and authentication-related flaws
  .

Programming & Scripting

• Proficiency in at least one scripting language:
  Python, JavaScript, or Bash
  .
• Experience writing small custom scripts or Burp extensions for advanced payloads.
• Understanding
  HTTP/HTTPS
  ,
  REST
  ,
  GraphQL
  ,
  JSON
  , and
  XML
  protocols.

Offensive Security

• Practical experience in
  vulnerability exploitation
  ,
  reverse engineering
  , or
  red team
  engagements.
• Familiarity with
  exploit development frameworks
  ,
  C2 tools (Cobalt Strike, Empire)
  is a plus.
• Ability to simulate APT-style threat actor behavior and persistence mechanisms.

API / Cloud Security (Preferred)

• Knowledge of
  API gateways (Kong, Apigee)
  and
  microservices architectures
  .
• Awareness of
  cloud-native security testing (AWS, Azure, GCP)
  and container security (Docker/Kubernetes).

Qualifications

• Bachelor's or Master's degree in Computer Science, Information Security, or related field.
• 5–8 years of total experience in
  application or API penetration testing
  , with at least 3+ years in
  hands-on offensive testing
  .
• Strong report writing and presentation skills for both technical and non-technical audiences.
• Preferred Certifications:

·
OSCP / OSWE / OSEP
(Offensive Security)

·
Burp Suite Certified Practitioner (BSCP)

· eWPTX / eCPPT / CEH (Practical)

· GWAPT / GPEN / GCPN