Senior Penetration Tester Job Arlington Virginia USA,IT/Tech

Senior Penetration Tester

Job Description

Overview

CoStar Group (NASDAQ: CSGP) is a leading global provider of commercial and residential real estate information, analytics, and online marketplaces. Included in the S&P 500 Index and the NASDAQ 100, CoStar Group is on a mission to digitize the world's real estate, empowering all people to discover properties, insights and connections that improve their businesses and lives.

We have been living and breathing the world of real estate information and online marketplaces for over 35 years. This extensive experience gives us the perspective to create truly unique and valuable offerings to our customers. We've continually refined, transformed, and perfected our approach to our business. Creating a language that has become standard in our industry, for our customers, and even our competitors.

We continue that effort today and are always working to improve and drive innovation. This is how we deliver for our customers, our employees, and investors. By equipping the brightest minds with the best resources available, we provide an invaluable edge in real estate.

Evolve our security pentesting capabilities to test our internal and external facing processes, infrastructure, and applications. This position will be tasked with developing test plans to validate identified vulnerabilities and demonstrate the exploitation of the vulnerabilities. The ability to explain the exploit to senior level management is key to success in this role. Stay current with trends, techniques, and tools used by adversaries.

This position is located in Arlington, VA and is in office Monday through Thursday with work from home on Friday.

Responsibilities

* Lead penetration tests on web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques.

* Develop test plans that validate identified vulnerabilities and demonstrate exploitability to engineering teams, security peers, and senior leadership.

* Collaborate with detection engineering and incident response on purple team exercises, validating that preventative and detective controls behave as expected against realistic adversary techniques.

* Grow the team's pentesting capabilities in infrastructure and cloud-native domains, including CI/CD pipelines, Active Directory, AWS, and Kubernetes.

* Recommend remediations that address root causes, including code changes, architectural improvements, and control adjustments.

* Stay current with attacker tradecraft. Share knowledge with the broader security team and mentor engineers on offensive techniques and how to think like an attacker.

Basic Qualifications

* Bachelor's Degree required from an accredited, not for profit, in person university or college (preferably in Computer Science, Cybersecurity, or related field).

* A track record of commitment to prior employers.

* 6 years of total experience in a technical role such as security, software development, or systems engineering, with at least 3 years focused on penetration testing or offensive security.

* Demonstrated experience with web application and API penetration testing, including identifying and exploiting attack chains across complex application logic, authentication, and authorization flows.

* Experience writing reports that clearly demonstrate vulnerability risk, business impact, and remediation paths to developers and senior leadership.

* Ability to perform secure code review and identify vulnerabilities in source code, including authentication, authorization, injection, and business logic flaws.

* Scripting and programming proficiency in Python, Power Shell, or similar, with the ability to read and understand application code in languages like C#, Java, JavaScript, or Go.

* Understanding of defense-in-depth principles and ability to recommend layered mitigations beyond fixing individual findings.

* Security certifications such as OSCP, OSWE, OSEP, GPEN, GXPN, or similar.

Preferred Qualifications and Skills

* In-depth experience with offensive security tools such as Burp Suite, OWASP ZAP, Nmap, Bloodhound, and Metasploit.

* Familiarity with Active Directory exploitation tools and techniques.

* Familiarity with C2 frameworks such as Cobalt Strike, Sliver, or Mythic.

* Experience planning and executing red team and purple team scenarios.

* Experience with adversary emulation methodologies and frameworks (MITRE ATT&CK).

* Experience testing modern applications in cloud-native tech stacks.

* Experience with mobile application penetration testing.

* Familiarity with AI and LLM security testing, including prompt injection, indirect prompt injection, agentic system risks, and MCP server assessment.

* Hands-on experience implementing security tools into CI/CD pipelines.

* Working knowledge of network, system, and database administration concepts as they relate to attack surface analysis.

* Strong communication skills with both technical teams and senior leadership, particularly translating technical exploits into business risk.

*…