Job Descriptions

You may search job titles by skills within selected job category

Penetration Tester

PROTECT & DEFEND

Skills

Job Description

Other Titles Include

  • Security Testing and Evaluation Specialist
  • Advanced vulnerability assessment analyst

Note: This role is most commonly found in large or medium-sized organizations.

Reporting relationship

To be completed by the user of this job description as appropriate.

Job purpose / summary

Conducts formal, controlled tests and physical security assessments on web-based applications, networks, and other systems as required to identify and exploit security vulnerabilities.

Duties and responsibilities

  • Complete penetration tests on web-based applications, network connections, and computer systems to identify cyber threats and technical vulnerabilities
  • Conduct physical security assessments of an organization’s network, devices, servers, and systems
  • Develop penetration tests and the tools needed to execute them (e.g. standards, risks, mitigations)
  • Investigate for unknown security vulnerabilities and weaknesses in web applications, networks, and relevant systems that cyber actors can easily exploit
  • Develop and maintain documents on the results of executed pen testing activities
  • Employ social engineering to uncover security gaps
  • Define and review requirements for information security solutions
  • Analyze, document, and discuss security findings with management and technical staff
  • Provide recommendations and guidelines on how to improve upon an organization’s security practices
  • Develop, deliver, and oversee training material and educational efforts

Tools and Technology

  • Organizational security policies, procedures and practices
  • Organizational systems maps and network architecture
  • VA tools
  • Vulnerability management policies, processes and practices
  • Common vulnerability databases
  • Penetration testing tools and protocols

Competencies

KSAs applied at an advanced level:

  • Network security architecture
  • Advanced threat actor tools, techniques and protocols
  • Penetration testing principles, tools, and techniques
  • Risk management processes for assessing and mitigating risks
  • System administration concepts
  • Cryptography and cryptographic key management concepts
  • Cryptology
  • Identifying security issues based on the analysis of vulnerability and configuration data
  • Vulnerability management policies, processes and practices
  • Penetration test planning and scheduling including system risks and mitigations
  • System and application security threats and vulnerabilities
  • System administration, network, and operating system hardening techniques
  • Packet analysis using appropriate tools
  • Conducting vulnerability scans and recognizing vulnerabilities in security systems
  • Conducting vulnerability/impact/risk assessments
  • Reviewing system logs to identify evidence of past intrusions
  • Using network analysis tools to identify vulnerabilities

Direct reports (if appropriate)

To be completed by the user of this job description as appropriate

Qualifications

Education.

Post-secondary education (degree or diploma in related computer science or IT field) or equivalent training and experience.

Certifications.

To be completed by the user of this job description as appropriate

Other relevant qualifications.

To be completed by the user of this job description as appropriate

Key Attributes.

To be completed by the user of this job description as appropriate

Experience. 2-3 years experience in an advanced cybersecurity operations role, preferably with VA experience.

This is often a tier 2 / 3 position within a cybersecurity operations environment that is normally preceded by significant experience (3-5 years) in a cybersecurity operations role including employment within Vulnerability Analysis, Malware Analysis or Technical Analysis of security systems. This is an advanced technical role, which can lead to increasing technical specialization, red team leadership or management roles.

Training in vulnerability analysis and penetration testing tools, techniques and procedures.

Working conditions (if required)

If the job requires a person to work in special working conditions this should be stated in the job description. Special working conditions cover a range of circumstances from regular evening and weekend work, shift work, working outdoors, working with challenging clients, and so forth.

Physical requirements (if appropriate)

If the job is physically demanding, this should be stated in the job description. A physically demanding job is one where the incumbent is required to stand for extended periods of time, lift heavy objects on a regular basis, do repetitive tasks with few breaks, and so forth.