Offensive Security Lead

We are looking for a penetration tester/vulnerability engineer to join our team to help protect the organization from cyber threats. As a penetration tester, you will be responsible for conducting ethical hacking activities to identify and exploit vulnerabilities in systems, networks, applications, and devices. You will be involved in red teaming, purple teaming, and active threat-hunting exercises to simulate real-world attacks and test the effectiveness of our security controls and incident response capabilities. You will also be expected to lead and manage vulnerability and patch management programs to ensure timely remediation of security issues.

• Vulnerability Management
• Compiling and tracking vulnerabilities and mitigation results to quantify program effectiveness.
• Creating and maintaining vulnerability management policies, procedures, and training
• Analyzing cyber defense policies and configurations and evaluate compliance with regulations and organizational directives.
• Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents related to cyber defense assessment.
• Prepare reports identifying technical and procedural findings and providing recommended remediation strategies/solutions.
• Perform technical (evaluation of technology) and nontechnical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., container registry scanning, open-source vulnerability scanning, network/host vulnerability scanning, cloud security posture management, and source code scanning.
• Analyze CIS benchmarks compliance for multiple platforms, including on-premises and cloud resources, and generate reports to achieve compliance by meeting organizational security standards.
• Maintain weekly reports for work-in-progress efforts across cybersecurity operations resources.
• Manage the exception process for vulnerabilities, patching, or pen-testing findings that cannot meet Belk’s Standards and/or the remediation SLA Penetration Testing
• Perform formal penetration tests on web-based applications, networks, and computer systems to include Windows environments from initiation to closure.
• Threat modeling
• Perform testing on eCommerce sites and API endpoints
• Test both internal and external facing assets.
• Test security controls for effectiveness.
• Mentor and train associate analysts.

​

Education:

• Bachelor's Degree in CIS, Information Security, or a related field preferred
• Security Certifications    Must have 3 or more of the following certifications: GSEC, GCIH, GPEN,OSCP, GWAPT, Sec+, or CEH

Knowledge, Skills & Abilities

• Proficiency in using penetration testing tools like Metasploit, Burp Suite, Nmap, Wireshark, and vulnerability scanners.
• Understanding of standard network protocols, operating systems (Windows, Linux, macOS), and web technologies.
• Knowledge of common web application vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Familiarity with scripting languages like Python, Bash, or PowerShell to automate tasks and develop custom tools.
• Solid understanding of cybersecurity principles, secure coding practices, cloud infrastructure, and network security controls.
• Knowledge of common security frameworks and compliance standards, such as OWASP, PCI DSS, NIST, and MITRE ATT&CK® Framework.
• Strong analytical thinking and problem-solving abilities to identify vulnerabilities, analyze their impact, and recommend appropriate solutions.
• Knowledge of system administration concepts, including server configuration, user, and patch management.
• Excellent communication and mentoring skills
• Willingness to continuously learn new tools, methodologies, and technologies in the rapidly evolving field of cybersecurity.
• Understanding the retail business context to prioritize risks and align security assessments with organizational objectives is essential.
• Ability to work effectively as a team, collaborate with other security professionals, and share knowledge and expertise.
• Must be current on modern threats and threat actor groups.

#LI-CM1

#IND3

#LI-Hybrid