[Remote] Security Engineer, Penetration Testing
Note: The job is a remote job and is open to candidates in USA. ISC2 is a leading nonprofit member organization for cybersecurity professionals, committed to a safe and secure cyber world. The Security Engineer, Penetration Testing role involves executing offensive security assessments and building defensive engineering controls to enhance ISC2’s security posture.
Responsibilities
- Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
- Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
- Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
- Perform social engineering assessments, including phishing simulations and physical security testing as authorized
- Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
- Support red team exercises and adversary simulation activities to test detection and response capabilities
- Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
- Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
- Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
- Design and implement security controls across ISC2’s cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
- Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
- Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
- Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
- Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
- Support ISC2’s ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
- Miscellaneous duties as assigned
Skills
- Bachelor's degree in Computer Science, Information Security, Cybersecurity, or related field. Will consider candidates with a high school diploma and at least eight (8) years of experience in cybersecurity
- 4+ years of experience in cybersecurity, with a demonstrable mix of offensive security (penetration testing) and defensive/engineering work (control implementation, architecture review, or SSDLC)
- Ability to travel up to 5% of the time
- Work normal business hours and extended hours when necessary
- Remain in a stationary position, often standing or sitting, for prolonged periods
- The role requires the ability to work at a computer for extended periods and communicate effectively through written and verbal channels
- Regular use of office equipment such as a computer/laptop and monitor computer screens
- Dexterity of hands and fingers to operate a computer keyboard, mouse, and other computer components
- Proficiency with penetration testing tools including Burp Suite, Metasploit, Nmap, Nessus, Cobalt Strike, and similar offensive frameworks
- Strong understanding of web application vulnerabilities (OWASP Top 10), network protocols, Active Directory attack paths, and cloud security (Azure, AWS, GCP)
- Effective written and verbal communication with cross-functional teams is essential
- Scripting and automation proficiency in Python, Bash, or PowerShell; ability to write or modify exploit code as well as defensive tooling
- Familiarity with MITRE ATT&CK, CVSS, CVE, NIST SP 800-115, and the CIS Benchmarks for secure configuration baselines
- Posess AI literacy and ability to test Ai workloads and infrastructures
- Integrity & Ethics: Operates with the highest standard of professional ethics; treats privileged access, sensitive findings, and organizational data with strict confidentiality
- Analytical Thinking: Applies a structured, adversarial mindset to both offensive assessments and defensive design; bridges exploit research with practical engineering solutions
- Communication: Clearly articulates complex technical vulnerabilities and risk in written reports and verbal briefings to both technical and non-technical stakeholders
- Collaboration: Partners effectively with developers, architects, and operations staff to drive meaningful security improvements without disrupting business operations
- Continuous Learning: Actively pursues knowledge of emerging threats, tools, and techniques; contributes insights to team knowledge sharing
- Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
- Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
- Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
- Perform social engineering assessments, including phishing simulations and physical security testing as authorized
- Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
- Support red team exercises and adversary simulation activities to test detection and response capabilities
- Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
- Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
- Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
- Design and implement security controls across ISC2's cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
- Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
- Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
- Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
- Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
- Support ISC2's ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
- Miscellaneous duties as assigned
- Relevant certifications strongly preferred: OSCP, GPEN or GWAPT, plus one engineering/architecture credential (CISSP, CSSLP, or equivalent)
- ISC2 membership or certifications (CISSP, CC) are a plus and demonstrate alignment with ISC2's mission
- Experience supporting ISO/IEC 27001, SOC 2, PCI-DSS, or similar compliance programs is a plus
Company Overview