Offensive Security Engineer; Application Security

Job Summary

Full Time | Bachelor's | 5+ years experience | 3+ Locations

We are seeking an Offensive Security Engineer (Application Security) to perform offensive security testing of our web applications and services. This role focuses primarily on identifying vulnerabilities in modern web applications, APIs, and cloud services through manual testing, automated tooling, and custom scripts. The ideal candidate is highly technical, comfortable with security tools and code, and stays current with modern attack techniques and emerging vulnerability classes.

This position will work closely with the Application Security team and engineering teams to identify, validate, and help remediate security vulnerabilities before they can be exploited.

• Perform manual penetration testing of (web) applications and APIs
• Conduct authenticated and unauthenticated testing of internal and external systems
• Identify vulnerabilities such as:

• Broken access control / IDOR
• Business logic flaws
• Misconfigurations

• Use security tools and frameworks including scanners, proxies, and custom scripts
• Validate vulnerabilities identified through automated scanners
• Stay up to date with new attack techniques and emerging vulnerability classes
• Produce clear vulnerability reports including:

• Technical impact
• Proof of concept

• Work with engineering teams to validate and retest fixes
• Perform other duties and responsibilities as assigned to support team, department, and organizational goals.

• Experience with bug bounty or vulnerability research
• Familiarity with CI/CD and Dev Sec Ops  testing pipelines
• Exposure to cloud environments (AWS / Azure)
• Knowledge of modern frameworks and architectures (microservices, APIs, Graph
  
  QL)

• Bachelor's degree in Computer Science, Information Systems, Engineering, a related field, or equivalent work experience.
• 4-6 years work experience of penetration testing or application security experience
• Solid foundational knowledge of web application security
• Experience with manual penetration testing
• Familiarity with tools such as:
  Burp Suite, Nuclei, Nmap, ffuf / dirsearch, sqlmap etc.
• Understanding of common vulnerability classes OWASP Top 10, SAML / OAuth, authentication / session flaws, access control vulnerabilities, API security issues
• Basic scripting to support test automation
• eJPT, CompTIA Pen Test+, or actively pursuing OSCP
• Strong analytical and troubleshooting skills

This job description may evolve over time. ISA Consulting is dedicated to diversity and inclusion, ensuring a fair workplace for all, regardless of race, color, religion, gender, national origin, age, disability, or any other protected status. (RV)