|Preferred GIAC Certifications||OSWE, OSCP, GPEN, GWAPT, GCPN, eWAPTX, CSSLP|
Senior level individual contributor role that leads and support penetration testing red teaming and advisory services. This role interfaces with the business to identify and manage risk craft attack plans lead assessments and operations author and review reports for business and technical stakeholders and mentor and train staff. This position combines technical expertise with adversarial imagination to build offensive capabilities in pursuit of improving our resilience to threats and adversaries.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
* Leads the development execution and maintenance of operational offensive security testing and advisory services within required standards.
* Strengthens organizational security posture by identifying and prioritizing risk to people processes technology and the business.
* Leads and supports offensive security assessments and operations that actualize risk and collaborating with business and technical stakeholders to manage risk effectively.
* Serves as a trusted expert in assessing web applications APIs cloud and cloud native infrastructures and services mobile systems networks and performing threat modeling.
* Improves operational efficiency and grow offensive capabilities by building adapting and evaluating tooling infrastructure procedures processes templates knowledge bases and automation.
* Builds strong relationships with engineering architecture AppSec Vulnerability Management SOC Threat Intelligence and business leaders and teams.
* Researches and integrates the latest tools tactics procedures and developments in vulnerability research exploitation privilege escalation defense evasion lateral movement and means of achieving objectives into new or existing capabilities.
* Exhibits professionalism acts ethically and with integrity operates securely and ensures consistent high quality practices/work and achieves business results in alignment with CNA strategies and productivity goals.
May perform additional duties as assigned.
Typically Director or above
Skills Knowledge & Abilities
* Demonstrated leadership adaptability and willingness to readily initiate and take ownership of highly challenging tasks and problems.
* In-depth knowledge of methodologies frameworks tactics techniques and tools that promote effective testing analysis and the ability to determine root cause and create solutions that resolve the problems in the best interest of the business.
* Experience leading and managing offensive security assessments and operations end-to-end.
* Proven skill collaborating with developers engineers architects and internal and external stakeholders to drive effective scoping execution and risk management.
* Experience conducting penetration testing and/or red team operations as a consultant or a demonstrated ability to support multiple concurrent assessments and operations.
* Established proficiency with writing and delivering technical reports and performing technical review and quality assurance.
* In-depth knowledge of OWASP CWE MITRE ATT&CK risk and secure software development lifecycles.
* Excellent communication skills (both written and oral); able to concisely communicate risk to both technical and business audiences.
* Experience with AWS Azure GCP and/or Kubernetes.
* Contributions to the security community such as research public CVEs bug-bounty recognitions open-source projects and blogs or publications desired.
* Ability to travel as assessments and operations require (<5%).
Education & Experience
Bachelor's degree with Master's preferred in a related discipline or equivalent
* Typically a minimum of ten years of related work experience
* Certification(s) Preferred: Offensive Security Web Expert (OSWE) Burp Suite Certified Practitioner Offensive Security *
* Certified Professional (OSCP) GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT) GIAC Cloud Penetration Tester (GCPN) eLearnSecurity Web Application Penetration Testing (eWAPTX) Certified Secure Software Lifecycle Professional (CSSLP).