Cybersecurity Penetration Testing Engineer

Title : Cybersecurity Penetration Testing Engineer Application & API Security

Location : Charlotte, NC

Job Summary

We are seeking a Cybersecurity Penetration Testing Engineer specializing in Application and API Security to perform advanced offensive security testing across business-critical systems.

The ideal candidate will have hands-on expertise with Burp Suite Professional , deep knowledge of offensive security methodologies, and the ability to identify, exploit, and communicate vulnerabilities effectively.

You will collaborate closely with development, DevSecOps, and risk teams to embed secure coding practices and support remediation efforts within the Secure SDLC .

Experience Required

5 8 years of total experience in web, mobile, or API penetration testing

Minimum 3+ years of hands-on experience in offensive security testing

Key Responsibilities

1. Penetration Testing & Vulnerability Assessment

Conduct manual and automated penetration tests on web, mobile, and API applications.

Leverage Burp Suite Professional for intercepting, modifying, and exploiting traffic.

Perform source code assisted testing to uncover deep logic flaws.

Simulate real-world attack scenarios aligned with OWASP Top 10, SANS 25, and API Security Top 10 frameworks.

Identify vulnerabilities in authentication, authorization, input validation, and session management.

2. API Security Testing

Perform penetration testing of REST and GraphQL APIs, including JWT / OAuth / token testing.

Validate logic flaws, parameter tampering, and insecure microservice communication.

Utilize tools such as Postman, Burp Suite, and OWASP ZAP for fuzzing and payload injection.

Assess API schema issues, rate limiting, and sensitive data exposure.

3. Offensive Security & Exploitation

Develop and execute proof-of-concept (PoC) exploits to demonstrate impact.

Simulate attacker TTPs following the MITRE ATT&CK and CWE frameworks.

Perform targeted testing for authentication bypass, privilege escalation, and deserialization flaws.

Demonstrate advanced exploitation techniques to enhance vulnerability validation.

4. Reporting & Remediation Support

Produce detailed technical reports with clear risk ratings, reproduction steps, and mitigations.

Collaborate with engineering and DevSecOps teams to support patching and secure code remediation.

Participate in vulnerability triage, retesting, and remediation validation cycles.

Present results to both technical teams and executive stakeholders in clear, actionable terms.

5. Security Process & Continuous Improvement

Integrate testing results into CI / CD pipelines to enable DevSecOps automation .

Contribute to secure coding guidelines and developer training initiatives.

Stay up to date with emerging attack trends, new CVEs, and offensive tools.

Develop internal scripts, extensions, or automation workflows to improve testing efficiency.

Technical Skills

Core Tools & Techniques

Expert-level proficiency in Burp Suite Professional (Intruder, Repeater, Decoder, Extender).

Familiarity with OWASP ZAP, Nmap, Metasploit, SQLmap, DirBuster, Hydra, Ffuf .

Deep understanding of OWASP Top 10 (Web & API) and CWE Top 25 vulnerabilities.

Strong analytical skills to identify logic-based and authentication-related flaws.

Programming & Scripting

Proficient in at least one scripting language : Python, JavaScript, or Bash .

Ability to write custom scripts or Burp extensions for advanced payloads.

Strong understanding of HTTP / HTTPS, REST, GraphQL, JSON, and XML protocols.

Offensive Security

Hands-on experience in vulnerability exploitation, reverse engineering, or red team engagements .

Familiarity with exploit frameworks and C2 tools (e.g., Cobalt Strike, Empire) is a plus.

Ability to emulate APT-style threat actor behavior .

API / Cloud Security (Preferred)

Knowledge of API gateways (Kong, Apigee) and microservices architectures .

Exposure to cloud-native security testing (AWS, Azure, GCP) and container security (Docker / Kubernetes).

Qualifications

Bachelor s or Master s degree in Computer Science, Cybersecurity, or related field

5 8 years of experience in application or API penetration testing

Strong technical writing and presentation skills for diverse audiences

Preferred Certifications

OSCP / OSWE / OSEP (Offensive Security)

Burp Suite Certified Practitioner (BSCP)

eWPTX / eCPPT / CEH (Practical)

GWAPT / GPEN / GCPN