Job Specifications
Job Summary –
Cybersecurity Penetration Testing Engineer – Application & API Security
Location – preferably in Charlotte, NC
Must have - Expertise in Burp Suite, API testing and Penetration Testing
Job Summary –
The Penetration Testing Engineer will be responsible for conducting in-depth web application, mobile application, and API security testing across business-critical platforms.
The role requires hands-on expertise in Burp Suite, deep understanding of offensive security methodologies, and the ability to identify, exploit, and document security vulnerabilities.
The engineer will work closely with development, DevSecOps, and risk teams to ensure secure SDLC practices and support remediation of discovered vulnerabilities.
Years of experience needed – 5–8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test
Key Responsibilities:
1. Penetration Testing & Vulnerability Assessment
Perform manual and automated penetration testing on web, mobile, and API endpoints.
Use Burp Suite Professional extensively for intercepting, modifying, and exploiting HTTP/S traffic.
Conduct source code-assisted testing when applicable to identify deeper logic flaws.
Simulate real-world attack scenarios using OWASP Top 10, SANS 25, and API Security Top 10 frameworks.
Identify authentication, authorization, session management, and input validation flaws.
2. API Security Testing
Perform REST and GraphQL API penetration testing, including JWT, OAuth, and token manipulation.
Validate business logic vulnerabilities and parameter tampering across microservices.
Use tools such as Postman, Burp Suite, and OWASP ZAP for fuzzing, interception, and payload injection.
Validate API schema misconfigurations, rate limiting, and data exposure issues.
3. Offensive Security & Exploitation
Execute custom payloads and exploits to demonstrate risk severity to stakeholders.
Develop proof-of-concept (PoC) exploits to validate identified vulnerabilities.
Emulate attacker tactics, techniques, and procedures (TTPs) from MITRE ATT&CK and CWE references.
Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization.
4. Reporting & Remediation Support
Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations.
Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes.
Participate in vulnerability triage and retesting post-remediation.
Present reports to technical and management stakeholders in clear, risk-prioritized language.
5. Security Process & Continuous Improvement
Integrate testing results into CI/CD pipelines where possible (DevSecOps enablement).
Contribute to secure coding guidelines and training sessions for developers.
Evaluate emerging attack trends, new CVEs, and offensive security tools to keep the testing framework current.
Assist in developing internal scripts, extensions, or automation workflows for testing efficiency.
Technical Skills
Core Tools & Techniques
Burp Suite Professional – expert-level usage (Intruder, Repeater, Decoder, Extender).
Familiarity with OWASP ZAP, Nmap, Metasploit, SQLmap, DirBuster, Hydra, and Ffuf.
Deep understanding of OWASP Top 10 (Web & API) and CWE Top 25 vulnerabilities.
Strong ability to identify and exploit logic-based and authentication-related flaws.
Programming & Scripting
Proficiency in at least one scripting language: Python, JavaScript, or Bash.
Experience writing small custom scripts or Burp extensions for advanced payloads.
Understanding HTTP/HTTPS, REST, GraphQL, JSON, and XML protocols.
Offensive Security
Practical experience in vulnerability exploitation, reverse engineering, or red team engagements.
Familiarity with exploit development frameworks, C2 tools (Cobalt Strike, Empire) is a plus.
Ability to simulate APT-style threat actor behavior and persistence mechanisms.
API / Cloud Security (Preferred)
Knowledge of API gateways (Kong, Apigee) and microservices architectures.
Awareness of cloud-native security testing (AWS, Azure, GCP) and container security (Docker/Kubernetes).
Qualifications
Bachelor’s or Master’s degree in Computer Science, Information Security, or related field.
5–8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive testing.
Strong report writing and presentation skills for both technical and non-technical audiences.
Preferred Certifications:
· OSCP / OSWE / OSEP (Offensive Security)
· Burp Suite Certified Practitioner (BSCP)
· eWPTX / eCPPT / CEH (Practical)
· GWAPT / GPEN / GCPN