Security / Penetration Testing Engineer - London

Role will be part of our Quality Engineering & Assurance (QE&A) Practice. With more than 650 clients across industry verticals and a global footprint, Cognizant QE&A practice is a recognized thought leader in quality engineer and Assurance .As enterprises simplify, modernize and secure their legacy environments for the digital era, robust quality Engineering and assurance is essential. Quality takes an end-to-end connotation and must straddle both legacy and digital systems. Cognizant QE&A is reimagining QE&A, employing an end-to-end ecosystem approach with intelligent and automated QA processes. In so doing, increasing quality and speed to promote faster business and technology change, as well as a better customer experience.

Key Responsibilities :

• Gather security requirements and define penetration testing scope by reviewing design and interface documents.
• Prepare detailed test plans, scenarios, and rules of engagement aligned with CREST and OWASP standards.
• Conduct API penetration testing (REST, GraphQL, SOAP) focusing on authentication, authorization, and business logic flaws.
• Perform UI/Web application penetration testing for vulnerabilities such as XSS, CSRF, SQL Injection, and session management issues.
• Identify and document security issues with clear reproduction steps, evidence, and remediation recommendations.
• Raise defects in tracking tools and collaborate with development teams for timely resolution.
• Provide regular status updates to stakeholders and escalate risks or challenges proactively.
• Prepare comprehensive test reports including executive summaries, technical details, and risk ratings (CVSS).
• Support re-testing after fixes and validate remediation effectiveness.
• Ensure compliance with industry standards (OWASP ASVS, API Top 10, ISO 27001, PCI-DSS).
• Recommend security best practices and contribute to continuous improvement of testing methodologies.
• Maintain strong documentation and communication throughout the engagement lifecycle.

· Required Skills & Certifications:

• CREST certification (CRT/CPT/CPSA or equivalent) is a must.
• Penetration Testing Expertise – Strong hands-on experience in API and UI/Web application penetration testing.
• Security Standards Knowledge – OWASP Top 10, OWASP API Top 10, ASVS, CVSS scoring, and CREST methodologies.
• Tools Proficiency – Burp Suite Pro, OWASP ZAP, Postman, SoapUI, Nmap, Metasploit, SQLMap, jwt-tool, Kali Linux toolset.
• API Security – REST/GraphQL/SOAP testing, OAuth2/OIDC, JWT handling, rate limiting, and authorization flaws (BOLA/BFLA).
• Web Application Security – XSS, CSRF, SQL Injection, Clickjacking, session management, CSP/CORS issues.
• Documentation & Reporting – Ability to create detailed test plans, risk logs, and clear vulnerability reports.
• Compliance Awareness – Familiarity with ISO 27001, PCI-DSS, NIST guidelines.