Lead Penetration Test Engineer

Lead Penetration Test Engineer

Hybrid 2 days per week onsite at one of the following US sites:
Boston, MA;
Chicago, IL;
Dallas, TX;
Houston, TX;
Englewood, CO;
Raleigh, NC;
Princeton, NJ;
New York, NY;
Southfield, MI;
Washington, DC. Canada sites:
Toronto, ON;
Calgary, AB.

The S&P Ratings Security team focuses on protecting our clients and users from modern security threats. Our mission is to safeguard systems and data by developing innovative solutions to the industry’s most complex security challenges.

We are seeking a Lead Penetration Test Engineer with extensive experience in penetration testing and offensive security. The ideal candidate will conduct penetration tests, re-testing, vulnerability scanning, and threat assessments across diverse environments. This role requires strong offensive security skills combined with cloud and application security expertise to identify vulnerabilities and develop effective mitigation strategies.

• Conduct comprehensive penetration testing of web applications, infrastructure, and cloud environments using both manual and automated techniques.
• Develop custom scripts, tools, and methodologies to enhance penetration testing capabilities and automate security testing within CI/CD pipelines.
• Apply cloud‑specific offensive techniques, including IAM abuse, container and serverless exploitation, and cloud misconfiguration testing.

• Collaborate with engineering and development teams to analyze vulnerabilities, develop remediation plans, and strengthen application security across development and production life cycles.
• Perform detailed security assessments using DAST, SAST, and SCA tools to ensure continuous validation and improvement of security controls.

• Lead and participate in attack simulations and tabletop exercises to validate security controls and improve organizational response capabilities.
• Research emerging threats, attack vectors, and adversarial techniques to inform offensive and defensive strategies.
• Partner with internal teams to design and execute threat assessments based on intelligence feeds and threat actor analysis.

• Communicate and present penetration testing and security assessment findings to both technical and non‑technical stakeholders.
• Provide actionable remediation guidance and risk mitigation strategies to strengthen the organization’s overall security posture.

• Bachelor’s degree in Computer Science, Information Systems, or a related field, or equivalent experience.
• Minimum 8 years of experience in information security with a strong focus on penetration testing, application security, and vulnerability management.
• Hands‑on experience with penetration testing tools (e.g., Burp Suite, Nessus, Metasploit, Nmap) and methodologies (e.g., OWASP Top 10, MITRE ATT&CK, PTES).
• Expertise in identifying and exploiting common infrastructure and web application vulnerabilities (e.g., XSS, SQL Injection, IDOR).
• Familiarity with vulnerability classification and scoring frameworks (CVE, CVSS, CWE).
• Strong scripting or programming skills (e.g., Bash, Python, Go, Power Shell, JavaScript).
• Experience performing security assessments (DAST, SAST, SCA, credential scanning) and integrating security testing into CI/CD pipelines.
• Ability to translate complex technical findings into clear, actionable reports and confidently brief cross‑functional teams and executives.
• At least one recognized offensive security certification (OSCP, OSCE3, OSEP, GXPN, GPEN, or CREST CRT/CCT).

• Experience with cloud security across AWS, Azure, or GCP.
• Knowledge of AI/ML security and adversarial testing methods, including evaluating LLMs and other models for manipulation, evasion, and data integrity risks.
• Demonstrated involvement in the infosec community (e.g., open‑source projects, bug bounties, CVE research, conference talks, or security publications).
• Experience applying the MITRE ATT&CK Framework to offensive security operations and threat emulation.
• Familiarity…