Penetration Tester/PenTester

Role: Penetration tester/Pen tester

Location: London, UK (Hybrid)

Inside IR35

Contract (6months +)

The Role

Performs manual and automated penetration tests on networks, systems, web applications, and endpoints. Identifies, exploits, and documents security vulnerabilities to assess an organization's risk exposure. Develops detailed reports with findings, impact analysis, and actionable remediation re commendations. Simulates real-world attacks to test the effectiveness of existing security controls and incident response. Keeps up to date with the latest vulnerabilities, exploit techniques and penetration testing tools in general and more specific to an airline industry, transportation sector.

Your responsibilities:
Performing IaC Automation and ServiceNow integrations to automate AWS Service catalogues.
Planning and conducting the full-scope penetration tests of applications, APIs, internal infrastructure, networks, cloud environments
Perform internal/external network testing, AD enumeration and abuse, privilege escalation
Identifying potential weaknesses in systems, networks, and applications through various methods, including automated scanning and manual analysis.
Employing the techniques and tools that malicious hackers might use to test the resilience of systems and identify vulnerabilities.
Identify flaws such as insecure authentication, authorization bypass, input validation issues, cloud misconfigurations, AD misuses, etc.
Create detailed reports, providing actionable advice to clients on how to address the identified vulnerabilities and improve their security posture; outlining identified vulnerabilities, their potential impact, and recommended remediation steps: including executive summaries and technical findings
Collaborate with development, cloud, and infrastructure teams on remediation
Test and review cloud security (AWS/Azure/GCP): IAM, storage, networking, etc.

Your Profile
Essential skills/knowledge/experience:
Strong application security background (OWASP Top 10, API security)
3-7+ years in penetration testing, red teaming, or offensive security
Proven experience conducting end-to-end pentests (internal, external, cloud, AD, web app, API)
Familiarity with common pentest reporting formats (CVSS, MITRE ATT&CK mapping)
Experience working in both waterfall and agile environments
Comfort with NDA-restricted, compliance-driven, or sensitive environments
Strong reporting skills for both technical and executive audiences
Familiarity with cryptographic principles and techniques.
Ability to write scripts (Python, Shell, Bash) for automation and exploit development.
Infrastructure: Windows, Linux, Active Directory, Entra ID/Azure AD, VPNs, VLANs
Cloud Platforms: AWS, Azure, GCP
Security Tools:
o Recon & Infra: Nmap, Nessus, Masscan, Amass, Recon-ng
o Exploitation: Metasploit, ExploitDB, Cobalt Strike, Empire, Mimikatz
o Web App Tools: Burp Suite, ZAP, Nikto, SQLmap
o Cloud Tools: ScoutSuite, CloudSploit, Pacu

Desirable skills/knowledge/experience:
Exceptional Customer engagement and reporting skills.
Exceptional analytical, problem-solving, and troubleshooting abilities.
Proven use of modern security tooling in real-world projects
Experience in agile delivery teams and cross-functional collaboration
Comfortable documenting technical findings and engaging in remediation cycles

Nice to Have Certifications (not mandatory):
o OSCP, OSWA, OSEP, OSCE, CRTP, CRTE, GPEN, GXPN, eCPPT
o AWS or Azure Security certs
o Advanced AD/cloud/red teaming trainings (eg, SANS, HackTheBox Pro Labs)