Penetration Testing
Listed on 2026-07-08
-
IT/Tech
Cybersecurity
Overview
Job Title: Manager, Penetration Testing (Offensive Security Lead)
Location: Hybrid – Princeton, NJ | Clifton, NJ | Berwyn, PA | Austin, TX | Boston, MA | Quincy, MA
Salary Range: $185,000 - $195,000 + Performance Bonus
Department: Threat Intelligence & Assurance
Role SummaryWe is seeking a highly technical Manager to lead our internal Penetration Testing Team. Reporting to senior leadership within the Threat Intelligence and Assurance function, this role is a hybrid of technical leadership and program ownership
. You will be responsible for building, mentoring, and maturing a team of elite testers tasked with securing one of the world's most complex financial infrastructures.
This is not a "check-the-box" compliance role. We require an engineering-driven approach to offensive security. You will establish rigorous, evidence-based testing standards across applications, networks, APIs, and multi-cloud environments. Your leadership will ensure that testing outputs are regulator-ready, actionable, and directly translate into measurable risk reduction for the enterprise.
What You Will Be Responsible For Team Leadership & Mentorship- Lead, mentor, and develop a team of penetration testers, fostering deep technical expertise and continuous skill development.
- Cultivate a "Purple Team" mindset, ensuring testers collaborate effectively with defenders to improve detection and response capabilities.
- Manage resource allocation, capacity planning, and professional development roadmaps to retain top-tier talent.
- Own the lifecycle of the penetration testing program, including methodologies (e.g., OWASP, PTES, MITRE ATT&CK), tooling selection, QA practices, and reporting standards.
- Establish and enforce engineering-centric testing standards to ensure consistency, reproducibility, and depth across internal and 3rd-party assessments.
- Develop a risk-based prioritization model to ensure testing focuses on critical assets and emerging threat vectors.
- Drive delivery of high-quality, hands-on testing across diverse landscapes:
- External/Internal Network:
Bypassing firewalls, routers, switches, and segmentation controls. - Web Applications & APIs:
Deep-dive assessments of RESTful, GraphQL, and SOAP APIs. - Cloud Platforms:
Complex attack path identification in AWS, Azure, and GCP (IaaS, PaaS, SaaS). - Serve as the technical escalation point, assisting the team with complex exploitation chains, privilege escalation, and lateral movement techniques.
- Oversee and coordinate testing performed by external providers, including scoping, technical validation of results, and ensuring adherence to State Street’s quality standards.
- Ensure outputs are "Audit-Ready":
Clear documentation, evidence-based findings, and reports that tie technical vulnerabilities to business impact and regulatory risk (e.g., FedRAMP, GLBA, NYDFS). - Partner with engineering, infrastructure, and architecture teams to drive effective remediation, validate fixes, and improve secure design/development practices.
- Spearhead the integration of emerging technologies into the program, specifically focusing on AI/LLM security. This includes testing enterprise AI deployments for prompt injection, model abuse, data leakage, and insecure output handling.
- Evaluate and integrate AI-assisted tools to automate reconnaissance, fuzzing, and vulnerability validation to increase team throughput.
- Track, analyze, and communicate program KPIs (e.g., Mean Time to Remediate, vulnerability recurrence rates, coverage percentage) to senior leadership, translating technical jargon into clear business risk posture.
- Leadership via Influence:
Ability to lead without explicit authority; building high-trust teams and developing future leaders. - Risk-Based Decision Making:
Prioritizing what matters most in a highly regulated, complex environment. - Strategic Perspective:
Connecting a technical finding (e.g., a buffer overflow) to enterprise risk outcomes (e.g., data breach impact). - Executive Communication:
Ability to…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).