Lead - Penetration Tester

Summary:

You will be responsible for managing a team of penetration testers, designing and executing complex security assessments, and ensuring the security posture of critical systems and applications across our organization. You will also serve as a subject matter expert in identifying vulnerabilities, providing remediation strategies, and developing threat modeling.

Key Responsibilities:

Strategic & Operational Leadership

• Set the direction and scope of internal and external penetration testing engagements.
• Develop, refine, and maintain the organizations penetration testing methodology.
• Align red team activities with business objectives, risk priorities, and threat intelligence.

Team Management

• Lead, mentor, and coach a team of penetration testers, red teamers, and offensive security analysts.
• Conduct regular 1-on-1s, career development planning, and performance evaluations.
• Build a collaborative and high-performing team culture with continuous skills development.

Planning & Execution Oversight

• Oversee project timelines, resource allocation, and task delegation.
• Ensure timely delivery of assessments and reporting within defined SLAs.
• Manage team workflows using Agile or structured project management frameworks.

Quality Assurance & Reporting

• Review and approve penetration testing reports for clarity, accuracy, and risk relevance.
• Ensure all tests are conducted ethically, legally, and in line with organizational policy.
• Maintain consistency in reporting formats, severity ratings, and risk classifications.

Technical Guidance & Escalation

• Provide hands-on support in complex testing scenarios (e.g., privilege escalation, advanced persistence).
• Serve as the go-to expert in bypassing modern defenses (EDR, WAF, MFA, etc.).
• Troubleshoot and advise during real-time engagements or red/purple team exercises.

Continuous Improvement

• Stay current with threat trends, TTPs (MITRE ATT&CK), and industry frameworks (OWASP, PTES, NIST).
• Recommend new tools, scripts, and techniques to keep the team ahead of emerging threats.
• Introduce automation, playbooks, and reusable exploits to improve testing efficiency.

Training & Development

• Develop internal training modules, labs, and tabletop exercises.
• Support certifications and knowledge-sharing within the team (e.g., OSCP, OSCE, CRTO).
• Organize internal red team simulations, capture-the-flag (CTF) challenges, or lab walkthroughs.

Stakeholder Communication

• Present technical findings and risk assessments clearly to non-technical stakeholders.
• Interface with IT, development, SOC, and compliance teams to coordinate remediation efforts.
• Participate in executive briefings or incident response drills where red team input is required.

Compliance & Documentation

• Ensure testing procedures align with regulatory frameworks (ISO 27001, PCI-DSS, NIST).
• Maintain documentation for all tools, payloads, testing infrastructure, and evidence handling.
• Establish safe testing protocols to avoid disruption or unintentional damage during engagements.