← all jobs

[Remote] Security Engineer, Penetration Testing

Work from home Full-time role Hiring

Note: The job is a remote job and is open to candidates in USA. ISC2 is a leading nonprofit member organization for cybersecurity professionals, committed to a safe and secure cyber world. The Security Engineer, Penetration Testing role involves executing offensive security assessments and building defensive engineering controls to enhance ISC2’s security posture.

Responsibilities

  • Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
  • Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
  • Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
  • Perform social engineering assessments, including phishing simulations and physical security testing as authorized
  • Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
  • Support red team exercises and adversary simulation activities to test detection and response capabilities
  • Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
  • Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
  • Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
  • Design and implement security controls across ISC2’s cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
  • Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
  • Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
  • Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
  • Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
  • Support ISC2’s ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
  • Miscellaneous duties as assigned

Skills

  • Bachelor's degree in Computer Science, Information Security, Cybersecurity, or related field. Will consider candidates with a high school diploma and at least eight (8) years of experience in cybersecurity
  • 4+ years of experience in cybersecurity, with a demonstrable mix of offensive security (penetration testing) and defensive/engineering work (control implementation, architecture review, or SSDLC)
  • Ability to travel up to 5% of the time
  • Work normal business hours and extended hours when necessary
  • Remain in a stationary position, often standing or sitting, for prolonged periods
  • The role requires the ability to work at a computer for extended periods and communicate effectively through written and verbal channels
  • Regular use of office equipment such as a computer/laptop and monitor computer screens
  • Dexterity of hands and fingers to operate a computer keyboard, mouse, and other computer components
  • Proficiency with penetration testing tools including Burp Suite, Metasploit, Nmap, Nessus, Cobalt Strike, and similar offensive frameworks
  • Strong understanding of web application vulnerabilities (OWASP Top 10), network protocols, Active Directory attack paths, and cloud security (Azure, AWS, GCP)
  • Effective written and verbal communication with cross-functional teams is essential
  • Scripting and automation proficiency in Python, Bash, or PowerShell; ability to write or modify exploit code as well as defensive tooling
  • Familiarity with MITRE ATT&CK, CVSS, CVE, NIST SP 800-115, and the CIS Benchmarks for secure configuration baselines
  • Posess AI literacy and ability to test Ai workloads and infrastructures
  • Integrity & Ethics: Operates with the highest standard of professional ethics; treats privileged access, sensitive findings, and organizational data with strict confidentiality
  • Analytical Thinking: Applies a structured, adversarial mindset to both offensive assessments and defensive design; bridges exploit research with practical engineering solutions
  • Communication: Clearly articulates complex technical vulnerabilities and risk in written reports and verbal briefings to both technical and non-technical stakeholders
  • Collaboration: Partners effectively with developers, architects, and operations staff to drive meaningful security improvements without disrupting business operations
  • Continuous Learning: Actively pursues knowledge of emerging threats, tools, and techniques; contributes insights to team knowledge sharing
  • Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
  • Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
  • Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
  • Perform social engineering assessments, including phishing simulations and physical security testing as authorized
  • Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
  • Support red team exercises and adversary simulation activities to test detection and response capabilities
  • Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
  • Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
  • Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
  • Design and implement security controls across ISC2's cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
  • Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
  • Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
  • Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
  • Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
  • Support ISC2's ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
  • Miscellaneous duties as assigned
  • Relevant certifications strongly preferred: OSCP, GPEN or GWAPT, plus one engineering/architecture credential (CISSP, CSSLP, or equivalent)
  • ISC2 membership or certifications (CISSP, CC) are a plus and demonstrate alignment with ISC2's mission
  • Experience supporting ISO/IEC 27001, SOC 2, PCI-DSS, or similar compliance programs is a plus

Company Overview

  • ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. It was founded in 1989, and is headquartered in Alexandria, Virginia, USA, with a workforce of 201-500 employees. Its website is https://www.isc2.org.
  • More open positions

    [Remote] Co-Op: Financial Data Engineer

    Work from home Full-time role

    [Remote] Software Engineer

    Work from home Full-time role

    [Remote] Network Engineer

    Work from home Full-time role

    [Remote] Global Commodity Manager - Semiconductor

    Work from home Full-time role

    [Remote] Business Analyst – Consulting Manager – Banking and Financial Services

    Work from home Full-time role

    Enterprise Network Engineer

    Work from home Full-time role

    Crypto Content Writer ( Full Time ) Location: Remote

    Work from home Full-time role

    Werkstudent Sales & Business Development (m/w/d)

    Work from home Full-time role

    Experienced Data Entry Specialist – Post Operations Analytics for careerzynith

    Work from home Full-time role

    Senior Data Engineer

    Work from home Full-time role

    Software Engineer, Storage

    Work from home Full-time role

    Experienced Part-Time Remote Customer Service Representative – Deliver Exceptional Customer Experiences from the Comfort of Your Own Home!

    Work from home Full-time role

    Content Reviewer (Entry Level) – Netflix Remote...

    Work from home Full-time role

    Experienced Remote Data Entry Specialist – Unlock Your Potential with careerzynith!

    Work from home Full-time role

    Virtual High School Math Teacher (PT or FT hourly, FULLY remote)

    Work from home Full-time role

    Research Scientist (Measurement and Evaluation)

    Work from home Full-time role

    Go-to-Market - Bangalore, India

    Work from home Full-time role

    Technical CAD Designer IV -1 year W2 Contract remote

    Work from home Full-time role

    Industry & Regulatory Senior Director

    Work from home Full-time role

    Software Engineer - Analytics

    Work from home Full-time role

    [Remote] Director of Customer Success

    Work from home Full-time role