Cybersecurity Pentester - Red Team Operator

Powering the world’s payments ecosystem. ACI powers the payments ecosystem – globally, and you power ACI. You’ll innovate, collaborate, and grow – in an energetic technology culture with decades of proven success. ACIers – in all roles and levels – are truly your colleagues and many are your friends. Our size and reach allow you to see the global impact of your work.

You are visible, your talents are valued, and you are empowered to shape the future of payments.

Protects the confidentiality and availability of software, systems and information owned, controlled, used and managed by the company. Responsible for performing penetration testing and vulnerability assessments within a team environment. Conducts formal tests on web-based and traditional applications, networks/infrastructure, mobile, source code reviews, threat analysis, wireless network assessments and other technology. Performs the daily operation of the team including vulnerability identification, risk assessments, vulnerability remediation, and validation testing.

Provides actionable recommendations and guidance for the business based on assessment findings.

• Perform internal penetration testing and external red teaming of networks, systems, and applications within agreed scope and rules of engagement.
• Run web application vulnerability software to detect security issues in web applications.
• Analyze output of web application test scans to determine valid security issues.
• Conduct regular meetings with business unit stakeholders to assess remediation efforts from pentest findings.
• Gather security‑related information across multiple electronic, computer and development environments; identify, summarize, review, and report potential/actual actions that may jeopardize information security environments.
• Participate in information security audits to proactively minimize and eliminate information security vulnerabilities.
• Use penetration testing methodologies to validate the remediation of vulnerabilities and misconfiguration issues.
• Review application code reports on vulnerabilities.
• Perform extensive internal network reconnaissance with correlation of data from SIEM, scanning applications, network monitoring devices, host applications, etc.
• Perform web application testing focused on http/https vulnerabilities, TLS, application level like XSS, SQL, cross‑site scripting.
• Perform other duties as assigned.
• Understand and adhere to all corporate policies, including the ACI Code of Business Conduct and Ethics.
• Understand and comply with Risk Management program requirements, including identification of risks, key controls, and control testing as applicable to responsibilities.

• Bachelor’s degree in computer science, MIS, or related field or equivalent experience.
• 1‑3 years’ experience in information security in various security disciplines.
• Certifications:
  
  OSCP, CRTO, CRTP, OSEP, GXPN, or similar.
• Solid understanding of OWASP and other software security best practices.
• Strong technical ability in both manual and automated approaches to penetration testing.
• Knowledge of threat modeling methodologies.
• Knowledge of social engineering techniques and methodologies.
• Detailed knowledge and experience with exploiting vulnerabilities in a corporate environment.
• Experience with assessment tools such as scanners, administrative utilities, local proxies, debuggers, fuzzers, etc.
• Excellent problem solving, planning and interpersonal skills.
• Ability to interpret internal and external business challenges and recommend best practices.
• Skilled experience with major operating systems, such as Windows, UNIX, Linux, including administration and security.
• Intermediate experience with multiple penetration tools, such as Burp, OWASP ZAP, NMAP, OpenVAS, OpenSSL, Cobalt Strike, SQLmap, Pupy, Mimikatz, Metasploit, etc.
• Intermediate experience with programming languages—shell scripting to automate tasks, such as C++, Perl, Python, or Ruby.
• Knowledge of attack method types and their usage in targeted attacks, such as malware, vulnerabilities, application vulnerabilities, lateral movement, etc.
• Experience creating reports with detailed…