Job Description

Penetration Tester – Lead 

Position: Penetration Tester - Lead
Program: SBA Enterprise Cybersecurity Services (ECS)

Position Summary

The Penetration Tester – Lead supports the Small Business Administration (SBA) Enterprise Cybersecurity Services (ECS) program by leading advanced penetration testing, vulnerability assessment, adversarial simulation, and security validation activities supporting enterprise cybersecurity operations. 
The Penetration Tester – Lead performs expert-level offensive cybersecurity activities including network penetration testing, web application assessments, cloud security testing, wireless testing, red team operations, social engineering support, exploit validation, security control effectiveness testing, and advanced vulnerability analysis. The position provides technical leadership, testing strategy development, remediation validation, and risk-based recommendations to improve SBA’s cybersecurity posture and enterprise resilience.

Essential Duties and Responsibilities

• Lead enterprise penetration testing and vulnerability assessment activities supporting SBA ECS cybersecurity initiatives.
• Support Task Areas 3.5.4 and 3.5.4.7 by conducting advanced offensive security testing against enterprise systems, applications, cloud environments, networks, and security architectures.
• Plan, coordinate, and execute internal and external penetration testing engagements in accordance with federal cybersecurity standards and approved Rules of Engagement (ROE).
• Conduct application security testing against web applications, APIs, mobile applications, and cloud-hosted systems.
• Perform network penetration testing, exploitation, lateral movement analysis, privilege escalation testing, and post-exploitation activities.
• Execute adversarial emulation and red team exercises to evaluate security controls, monitoring capabilities, and incident response effectiveness.
• Conduct vulnerability validation, exploit research, attack-path analysis, and risk prioritization activities.
• Assess cloud security controls and configurations across Microsoft Azure, AWS, Microsoft 365, SaaS, and hybrid cloud environments.
• Perform wireless security testing, password auditing, authentication testing, and identity management assessments.
• Support phishing assessments, social engineering testing, and security awareness validation activities where authorized.
• Develop detailed technical penetration testing reports, executive summaries, remediation guidance, and risk assessment documentation.
• Provide technical recommendations for remediation of identified vulnerabilities, misconfigurations, and security gaps.
• Validate remediation efforts and conduct follow-up testing to confirm resolution of identified findings.
• Support development and refinement of penetration testing methodologies, procedures, testing standards, and operational playbooks.
• Coordinate with security engineers, SOC analysts, ISSOs, system administrators, cloud engineers, and program managers during testing activities.
• Assist with security architecture reviews, threat modeling, and attack surface analysis activities.
• Use automated and manual testing techniques to identify vulnerabilities and validate exploitability.
• Operate and maintain penetration testing toolsets, attack frameworks, vulnerability scanners, and security testing platforms.
• Support compliance and assessment activities aligned with NIST RMF, NIST SP 800-53, FISMA, FedRAMP, and Zero Trust Architecture requirements.
• Provide technical leadership and mentorship to junior penetration testers and cybersecurity analysts.
• Participate in incident response support, forensic investigations, and threat hunting activities as required.
• Support DevSecOps and secure software development initiatives through application security testing and code review support.
• Ensure all testing activities comply with federal security policies, legal requirements, approved authorizations, and ethical hacking standards.

Minimum Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Engineering, Information Systems, or related discipline. Relevant experience may substitute for degree requirements.
• Minimum of 10 years of experience supporting penetration testing, vulnerability assessments, offensive cybersecurity operations, red teaming, or advanced cybersecurity engineering.
• Extensive experience conducting penetration testing against enterprise networks, web applications, cloud environments, and operating systems.
• Advanced knowledge of offensive security methodologies, exploitation frameworks, attack techniques, and adversarial tactics.
• Experience using penetration testing and security assessment tools such as Metasploit, Burp Suite, Nessus, Nmap, Kali Linux, Cobalt Strike, BloodHound, Wireshark, and related platforms.
• Strong understanding of network protocols, operating systems, identity management, authentication mechanisms, and cloud architectures.
• Experience with scripting or programming languages such as Python, PowerShell, Bash, JavaScript, or Go.
• Knowledge of NIST RMF, NIST SP 800-53, FISMA, FedRAMP, MITRE ATT&CK, and Zero Trust Architecture concepts.
• Experience leading penetration testing teams, coordinating testing engagements, and presenting findings to technical and executive stakeholders.
• Strong analytical, problem-solving, technical writing, and communication skills.
• Experience supporting federal agencies or government cybersecurity environments preferred.

Preferred Certifications

• Offensive Security Certified Professional (OSCP)
• Offensive Security Experienced Penetration Tester (OSEP)
• GIAC Penetration Tester (GPEN)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• Certified Ethical Hacker (CEH)
• Certified Information Systems Security Professional (CISSP)
• CompTIA PenTest+
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Red Team Professional (CRTP)
• AWS Certified Security – Specialty
• Microsoft Certified: Azure Security Engineer Associate

Job Tags

Full time

Similar Jobs