Security Analyst- Pen Testing

The Security Analyst- Pen Testing plays a critical role in facilitating continued growth and execution within our security practice. This highly skilled and detail-oriented Consultant will have deep knowledge in Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Hardware Penetration Testing. The ideal candidate will be responsible for identifying vulnerabilities across software and hardware systems, advising on remediation strategies, and communicating findings clearly to both technical and non-technical stakeholders.

Primary Responsibilities:

• Conduct in-depth SAST, DAST, and SCA assessments across a variety of application types (web, mobile, desktop, APIs).
• Perform hardware penetration testing on embedded systems, IoT devices, and industrial control systems (ICS), including debug interface discovery, firmware extraction and analysis, and secure boot review.
• Develop and maintain threat models, attack trees, and risk assessments for both software and hardware systems.
• Identify and exploit vulnerabilities using both manual techniques and automated tools, simulating real-world attack scenarios.
• Provide detailed technical reports and executive summaries tailored to different audiences, including developers, engineers, and leadership.
• Collaborate with product and engineering teams to prioritize and remediate vulnerabilities, offering secure design and coding recommendations.
• Participate in security architecture reviews and code reviews to identify potential weaknesses early in the development lifecycle.
• Assist in the development and implementation of security testing methodologies, checklists, and standard operating procedures.
• Conduct security tool evaluations and help integrate them into CI/CD pipelines for continuous security testing.
• Lead or support red team/blue team exercises, tabletop simulations, and incident response drills.
• Stay abreast of the latest security trends, vulnerabilities, and threat actor tactics, techniques, and procedures (TTPs).
• Contribute to internal knowledge bases, training sessions, and technical workshops to upskill team members and clients.
• Engage with clients to understand their security needs, define testing scopes, and deliver high-quality consulting services.
• Ensure all testing activities comply with legal, ethical, and organizational guidelines, including responsible disclosure practices.
• Develop and present organized report findings to technical audiences. 

Professional Qualifications Sought:

• Bachelor’s degree in computer science, cybersecurity or another related field, desired or significant aligned experience. 
• Overall experience working in a Pen Tester role in a diverse technical hardware and software environments for more than three years. 
• Certifications such as: Certified Ethical Hacker (CEH), Certified Hardware Security Professional (CHSP), Certified Mobile and Web Application Penetration Tester (CMWAPT), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) or other generally accepted security certifications, are a plus. 
• Present openness to new ideas, approaches, and technologies to address core business needs and align to risk tolerance.
• Exhibit good time management, and presentation skills in virtual and face-to-face environments. 
• Consistently exhibit strong oral and written communication skills and the ability to present to groups of varying sizes and audiences in ad-hoc and prepared situations.

Technical Qualifications Sought:  

• Three years of experience independently conducting in-depth SAST and DAST assessments across web, mobile, desktop, and API-based applications using tools such as Burp Suite, Zed Attack Proxy (ZAP) and Nessus. 
• Referenceable history performing hardware penetration testing on embedded systems, IoT devices, including firmware extraction, reverse engineering and analysis utilizing tools like Binwalk and Ghidra.
• Experience analyzing Android and iOS mobile application runtimes using both physical devices and emulators.
• Hands-on experience developing and maintaining threat models, attack trees, and risk assessments for both software and hardware systems.
• Knowledgeable in identifying and exploiting vulnerabilities using both manual techniques and automated tools, simulating real-world attack scenarios.
• History of contributing to the development of detailed technical reports and executive summaries tailored to different audiences, including developers and engineers.
• Experience collaborating with product and engineering teams to prioritize and remediate vulnerabilities, offering secure design and coding recommendations.
• Successful implementation of security testing methodologies, checklists, and standard operating procedures.
• Conduct security tool evaluations on CI/CD pipelines and cloud infrastructure for continuous security testing.
• Stay abreast of the latest security trends, vulnerabilities, and threat actor tactics, techniques, and procedures (TTPs).
• Contribute to internal knowledge bases, training sessions, and technical workshops to upskill team members and clients.
• Engage with clients to understand their security needs, define testing scopes, and deliver high-quality consulting services.
• Ensure all testing activities comply with legal, ethical, and organizational guidelines, including responsible disclosure practices.  

Travel

• Must be available to travel four to six times per year, with no more than 24 days away from home in a calendar year.   

Employment locations: Although this is a remote position, we are only open to employment of individuals with their legal residence in the following states: Wisconsin, Illinois, Ohio, Michigan, Indiana, South Dakota, Iowa, Arkansas, North Carolina, Arizona and Florida.

• Health Care Plan (Medical, Dental & Vision)
• Retirement Plan (401k, IRA)
• Life Insurance (Basic, Voluntary & AD&D)
• Paid Time Off (Vacation, Sick & Public Holidays)
• Family Leave (Maternity, Paternity)
• Long Term Disability
• Training & Development
• Work From Home
• Work life balance
• Great Culture