About the Role

We’re looking for a proactive and hands-on Penetration Tester who goes beyond red teaming and static reporting. In this role, you'll be embedded within our Agile development teams, working side-by-side with developers, architects, and DevOps to identify, exploit, and remediate security weaknesses as part of the development lifecycle.

Instead of a traditional assessment-and-report approach, you’ll shift left, influencing design, architecture, and implementation with security in mind—helping us build secure-by-design products at sprint speed.

You’ll help teams identify security issues early, log findings directly into our Jira system, and assist in building and maintaining threat model documentation that’s central to our SDLC process.

Key Responsibilities

Participate in Agile ceremonies (standups, sprint planning, retros) to ensure security concerns are addressed early.
Perform ongoing penetration testing, code-assisted security reviews, and vulnerability analysis during development sprints.
Collaborate closely with developers to remediate security issues as they arise.
Develop and automate security test cases that integrate into CI/CD pipelines.
Analyze new features and user stories for security risks before they are implemented.
Assist development teams in creating and maintaining threat models as part of the SDLC.
Report vulnerabilities and findings directly in Jira, aligned with sprint workflows.
Promote a security-first culture through collaboration, mentoring, and knowledge sharing.
What We’re Looking For

Hands-on experience in penetration testing, offensive security, or vulnerability research.
Strong understanding of application security (OWASP Top 10, CWE, etc.) and secure SDLC practices.
Experience working in Agile environments (Scrum, Kanban).
Familiarity with Jira or similar ticketing systems.
Experience helping teams build and evolve threat model documents.
Knowledge of DevSecOps principles and CI/CD integration (e.g., GitLab CI, Jenkins, CircleCI).
Proficiency in security testing tools and scripting (e.g., Burp Suite, Metasploit, Nmap).
Ability to read and understand common programming languages (e.g., JavaScript, Python, Java, C#).
Strong communication skills with the ability to translate security concepts for non-security stakeholders.
Certifications like OSCP, OSWE, or equivalent experience are a plus.
Optional / Preferred Capabilities (Automation & Tooling)

Experience integrating automated security tests into CI/CD pipelines.
Familiarity with SAST/DAST tools (e.g., Semgrep, SonarQube, ZAP).
Ability to write scripts or tools to automate vulnerability discovery or exploitation.
Experience with infrastructure-as-code security tools (e.g., Checkov, tfsec).
Experience with container and orchestration security (e.g., Trivy, kube-bench, Falco).
Experience embedding security checks into Git hooks and developer workflows.
Nice to Have

Software development background
Experience with secure cloud architecture (AWS, Azure, GCP).
Familiarity with Terraform or CloudFormation.
Knowledge of container security best practices (Docker, Kubernetes).