Security Assurance Analyst III

Expected Contributions 

• Contributes to team, department, and/or business results by performing complex quantitative and qualitative analysis for business processes and/or projects. Often manages small projects, business processes or parts of larger ones. 

• Responds to, solves, and makes decisions on more complex/non-routine business requests with limited to moderate risk. 

• Performs more complex quantitative and qualitative analysis for business processes and/or projects. Often manages small projects, business processes or parts of larger ones.  

• Responds to, solves, and makes decisions on more complex/non-routine business requests with limited to moderate risk.  

• Assists more senior associates in achieving business results by: 

• identifying opportunities to enhance the effectiveness of business processes. 

• participating in setting department operating plans. 

• achieving results against budget within scope of responsibility. 

• Demonstrates an awareness of personal strengths and areas for improvement and acts independently to improve and increase skills and knowledge. 

Specific Expected Contributions 

• Conducts thorough penetration testing of infrastructure, web applications, APIs, and cloud environments to identify vulnerabilities and potential attack vectors. 

• Collaborates with application development teams to implement security testing practices early in the software development lifecycle (SDLC), ensuring secure code and configurations. 

• Reviews application development processes to ensure secure coding practices are followed, identifying vulnerabilities in the development, staging, and production environments. 

• Leads red team exercises simulating advanced persistent threats (APTs) to assess the organization’s security resilience in real-world attack scenarios. 

• Collaborates closely with blue team members to provide feedback on detection and response efforts and support the development of effective defenses. 

• Maps offensive security test results to the MITRE ATT&CK framework to ensure comprehensive understanding of adversary tactics, techniques, and procedures (TTPs). 

• Executes vulnerability assessments and perform threat simulations to evaluate the effectiveness of security controls in place. 

• Conducts vulnerability validation, including verifying the exploitability of identified vulnerabilities and conducting follow-up testing to confirm remediation. 

• Leads and mentor junior security analysts, providing guidance on offensive security techniques and tools. 

• Develops and refines testing methodologies, including custom attack scenarios to improve the organization’s testing capabilities. 

• Collaborates with IT, security engineering, and development teams to ensure vulnerabilities are prioritized and remediated effectively. 

• Documents and communicates findings, providing clear, actionable recommendations to improve security across technology platforms. 

• Stays up to date with emerging threats and vulnerability trends, continuously improving security testing practices and capabilities. 

Candidate Profile 

Successful candidates should possess knowledge, experience, and demonstrate leadership skills as follows: 

Generally, a professional position with specific knowledge in a discipline (e.g., Accounting, Human Resources, Information Resources). College degree and/or relevant experience typically required. 

Specific Candidate Profile 

Education 

• Bachelor’s degree in computer science, Information Security, or a related field. Equivalent work experience may be considered in lieu of a degree. 

Certifications Preferred 

• Offensive Security Certified Professional (OSCP) 

• Certified Ethical Hacker (CEH) 

• GIAC Penetration Tester (GPEN) 

• Offensive Security Web Expert (OSWE) 

• Certified Secure Software Lifecycle Professional (CSSLP) 

• GIAC Web Application Penetration Tester (GWAPT) 

Experience 

• At least 4 years of experience in offensive security roles, including penetration testing, red teaming, and application security testing. 

• Hands-on experience with penetration testing tools (e.g., Burp Suite, Metasploit, Kali Linux, Cobalt Strike) and custom scripting for security testing. 

• Proven expertise in identifying and exploiting vulnerabilities in applications, including web applications, mobile apps, APIs, and cloud platforms. 

• Experience working with modern development practices, including DevSecOps, CI/CD pipelines, and integrating security testing into the software development lifecycle (SDLC). 

• Deep knowledge of application security testing methods, including static analysis, dynamic analysis, and fuzzing. 

• Familiarity with security practices such as Secure Development Lifecycle (SDL), Secure Code Reviews, and application security code scanning. 

• Experience with cloud platforms (AWS, Azure, GCP) and container security (e.g., Docker, Kubernetes). 

• Ability to map attack scenarios to the MITRE ATT&CK framework and provide insights for improving security defenses. 

Skills/Attributes 

• Advanced Penetration Testing Skills: Deep knowledge of testing web and mobile applications, APIs, and cloud services for vulnerabilities, with strong experience exploiting weaknesses to simulate real-world attacks. 

• Application Security Expertise: Extensive experience with application security practices, secure code reviews, and vulnerability scanning tools. 

• Secure Development Knowledge: Strong understanding of application development methodologies (e.g., Agile, DevOps) and experience incorporating security into development processes and pipelines. 

• Red Team Expertise: Ability to simulate sophisticated attack techniques and scenarios, providing insight into potential attack paths and evaluating the organization’s defenses. 

• Cloud Security Knowledge: Solid understanding of cloud security best practices, including securing cloud environments (AWS, Azure) and containerized applications (Docker, Kubernetes). 

• Vulnerability Management & Exploitability: Expertise in validating vulnerabilities, assessing their risk, and verifying exploitability across a wide range of systems. 

• Incident Response Collaboration: Ability to work with incident response teams to translate offensive testing results into actionable intelligence for defensive improvements. 

• Strong Documentation and Reporting Skills: Ability to document testing methodologies, findings, and recommendations clearly and concisely, and communicate technical issues to both technical and non-technical stakeholders. 

• Mentorship & Leadership: Ability to lead and mentor junior security team members, promoting a culture of continuous improvement in offensive security practices. 

• Problem-Solving & Analytical Thinking: Strong problem-solving skills, with the ability to think like an attacker to uncover vulnerabilities and develop strategies for exploitation and risk mitigation.