×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity

Penetration Testing Engineer - Application Security

Job in Chicago, Cook County, Illinois, 60290, USA
Listing for: Evolvesec
Full Time position
Listed on 2026-02-16
Job specializations:
  • Engineering
    Cybersecurity
  • IT/Tech
    Cybersecurity
Salary/Wage Range or Industry Benchmark: 125000 - 150000 USD Yearly USD 125000.00 150000.00 YEAR
Job Description & How to Apply Below

Overview

The Penetration Testing Engineer – Application Security is a mid-level role for a tester who has grown beyond the basics and can independently execute penetration tests within a primary domain of expertise. Engineers are offensive security subject matter experts – conducting full assessments with minimal supervision, contributing to methodology improvements, and acting as a point of contact for clients during engagements.

By this stage, they are capable of scoping and planning a test in their domain, executing tests, and producing and communicating detailed reports with practical remediation advice.

Mid-level testers act as the technical client focal within engagements, leading technical execution for assigned projects.

Typical

Experience:

 ~3–5 years of penetration testing experience, during which they have performed numerous assessments. At this point, they have a track record of completed pen tests and proven competencies.

Domain Expertise: Mastery in at least one penetration testing domain. For example, an engineer might be an expert in Web Application Security – adept with advanced web vulnerabilities (beyond OWASP Top 10, including logic flaws, deserialization, etc.), skilled in using Burp Suite for complex testing, and possibly familiar with secure code review.

Technical

Skills:

 Strong practical skills and tool usage. Mid-level testers are comfortable with a variety of pen testing tools and techniques. This includes network scanners (Nmap, Nessus), exploitation frameworks (Metasploit, Cobalt Strike), web testing suites (Burp Suite, OWASP ZAP), and scripting/programming to automate tasks or develop custom exploits (common languages include Python, Power Shell, or Bash). Understanding manual testing techniques – for example, crafting customized payloads, bypassing filters, or chaining vulnerabilities.

An engineer at this level is often responsible for ensuring the accuracy of findings (minimal false positives) and may contribute new findings to the team’s knowledge base.

Soft Skills: Solid communication and consulting skills. By now, the engineer can write thorough technical reports that require only light review, translating technical findings into clear, actionable recommendations. They are also responsive and growing in client-facing abilities, able to lead client briefing calls, deliver vulnerability walkthroughs, and handle questions from stakeholders. Their time management and project coordination skills have improved, enabling them to handle multiple projects or deadlines.

Certifications (Optional): Many mid-levels pen testers obtain well-regarded certifications as a by-product of developing their skills. Examples include OSCP, GWAPT (Web Application Testing), GPEN (Network Penetration), OSWE (Web Exploit Developer), etc. These certifications reinforce their domain expertise, but hands-on experience and successful engagements remain the primary proof of competency.

Expertise that aligns to our approach:

  • Bring 3+ years of hands-on experience in web application penetration testing, with a strong understanding of the OWASP WSTG methodology.
  • Apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
  • Use tools like Burp Suite Pro, OWASP ZAP, Postman, and custom scripts to execute and document each step of the WSTG.
  • Demonstrate proficiency in manual testing and exploit development, including crafted payloads for XSS, SQLi, SSRF, IDOR, CSRF, and more.
  • Understand and test authentication mechanisms, including OAuth, SAML, MFA implementations, and JWT.
  • Perform access control testing across roles and privilege boundaries (WSTG-ATHZ), identifying vertical and horizontal privilege escalation opportunities.
  • Validate input validation and output encoding to uncover XSS, command injection, and template injection flaws.
  • Assess session management implementations for issues like weak session , insecure cookie flags, or token replay (WSTG-SESS).
  • Execute client-side testing using browser dev tools and proxy-based inspection, evaluating DOM-based vulnerabilities and insecure local storage (WSTG-CLNT).
  • Understand…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)

Job Posting Language
Employment Category
Education (minimum level)
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search