Security Analyst, Security Testing

Payments Canada is at the forefront of the Canadian payment ecosystem and works to make payments easier, smarter, and safer for all Canadians. In 2024 alone, our systems cleared approximately $107 trillion—$424 billion each business day—ensuring that financial transactions across Canada are carried out safely and securely.

We are a public‑purpose, non‑profit organization situated at the centre of Canada’s payment ecosystem. We own and operate payment systems that process hundreds of billions of dollars’ worth of transactions each business day. We convene ecosystem participants to discuss diverse interests, navigate industry‑level challenges, and adhere to a set of core values: inspire trust, build community, and enable change.

We foster authenticity, collaboration, innovation, and development. We empower one another, make meaningful contributions that impact our organization and the country, and nurture meaningful connections that drive innovation throughout the ecosystem.

Reporting to the Director of the Security Program, the Senior Analyst, Security Testing will manage and execute our Security Testing Program. The role is offensive security focused, proactively identifying vulnerabilities and ensuring the resilience of Payments Canada’s critical financial systems. The analyst acts as an “ethical hacker” and simulation coordinator, pressing the organization’s infrastructure, applications, and emerging technologies before real threat actors can exploit them.

• Design and execute a layered testing approach for the Security Operations Team, including tabletop exercises, scenario‑based testing, Red Team, Blue Team, and Purple Team exercises to evaluate and improve detection, response, and recovery capabilities.
• Develop and execute industry‑wide annual exercises through the Resilience of Wholesale Payments Systems (RWPS) program to test industry response to cyber‑attacks.
• Manage annual, holistic penetration tests against Payments Canada infrastructure.
• Conduct discreet internal Red Team/Blue Team testing across all corporate and payment system environments in coordination with relevant stakeholders.

• Validate the effectiveness of security operational controls at individual and team levels.
• Engage with other business leaders and industry partners as a Security Subject Matter Expert for planned external exercises.
• Maintain a strong grasp of security strategy and expertise, communicating recommendations compellingly to all audiences, including technical staff, middle management, and partners.

• Post‑secondary education or equivalent experience in computer science, information technology, or related fields.
• Minimum five (5) years of experience in a combination of information systems and information security roles.
• Minimum of three (3) years of experience in:
• Conducting penetration tests.
• Vulnerability testing and vulnerability management.
• Minimum one (1) year of experience testing AI/ML applications or working with adversarial AI frameworks (e.g., MITRE ATLAS).
• Ability to identify cyber threats and trends, applying security knowledge to strengthen defenses across protective, detective, and compensating controls.
• Experience employing offensive cyber techniques.
• Knowledge of exercise design and execution with a focus on Red, Blue, and Purple Team exercises.
• Deep understanding of the OWASP Top 10 for LLMs and the MITRE ATLAS framework.
• In‑depth knowledge of various testing methodologies (e.g., OWASP Web & Mobile, CREST).
• Eligibility to obtain and maintain a Government of Canada Reliability Clearance, including successful completion of enhanced background checks.

• Knowledge of and experience in intelligence tradecraft, international threats impacting the financial sector.
• At least one of the following industry certifications: CPTS, OSCP, GXPN, or equivalent.
• Knowledge of the Canadian financial services or payments industry.
• Bilingualism (English and French).

Based on qualifications and experience:…