Offensive Security Analyst

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

We are seeking an Offensive Security Analyst with advanced expertise in web application penetration testing to join our team. In this role, you will be responsible for identifying and exploiting security vulnerabilities within web applications, APIs, and cloud environments, helping to protect our organization's assets from sophisticated cyber threats. As a key member of the offensive security team, you will conduct red team operations, simulate attacks, and collaborate with cross-functional teams to improve security posture and mitigate risks. This position demands hands-on experience, technical proficiency, and a strong understanding of the latest vulnerabilities, attack techniques, and exploitation methods.

Responsibilities:

• Perform comprehensive web application penetration testing and vulnerability assessments across internal and external web applications.
• Identify, exploit, and document security vulnerabilities in web applications, APIs, and cloud environments, providing detailed risk assessments and recommendations for remediation.
• Simulate real-world attacks to evaluate application security controls and detect potential threats.
• Collaborate with development and security teams to offer actionable guidance on fixing vulnerabilities and strengthening security posture.
• Prepare detailed penetration testing reports and clearly communicate findings to technical and non-technical stakeholders.
• Continuously research and stay current on emerging vulnerabilities, security trends, and attack vectors in the web application landscape.
• Assist in security incident response by identifying and analyzing vulnerabilities that may be exploited during an attack.
• Conduct threat modeling and provide input on security requirements for application development.
• Develop and maintain custom scripts and tools to enhance penetration testing efforts.
• Mentor junior security team members and contribute to the overall knowledge base of the security team.

Qualifications:

• Proven experience in web application penetration testing, with a strong background in identifying vulnerabilities, performing manual testing, and using automated tools.
• Deep understanding of web application security concepts, including OWASP Top 10, secure coding practices, authentication and authorization mechanisms, session management, and input validation.
• Proficiency in using security tools such as Burp Suite, OWASP ZAP, Metasploit, and other custom scripts for penetration testing.
• Strong knowledge of web technologies such as HTML, JavaScript, CSS, AJAX, and HTTP/HTTPS protocols.
• Hands-on experience with exploiting common web vulnerabilities like SQL injection, XSS, CSRF, SSRF, RCE, XXE, and IDOR.
• Familiarity with security testing methodologies, frameworks, and standards (e.g., OWASP, PTES, NIST, MITRE ATT&CK).
• Strong scripting and programming skills (e.g., Python, JavaScript, Bash, PowerShell) to develop custom exploits and automate tasks.
• Strong analytical and problem-solving skills, with the ability to think like an attacker and identify creative ways to exploit vulnerabilities.

Preferred Certifications:

• Offensive Security Certified Professional (OSCP)
• Offensive Security Web Assessor (OSWA)
• Offensive Security Web Expert (OSWE)
• GIAC Web Application Penetration Tester (GWAPT)

Additional Skills (Preferred but not Required):

• Experience with cloud environments (AWS, Azure, GCP) and their security models.
• Familiarity with DevSecOps practices and integrating security into CI/CD pipelines.
• Knowledge of cryptography, secure communication protocols, and encryption standards.
• Experience in red teaming or advanced adversary emulation.

Special Factors

Sponsorship

Vanguard is not offering visa sponsorship for this position.

About Vanguard

We are Vanguard. Together, we’re changing the way the world invests.

For us, investing doesn’t just end in value. It starts with values. Because when you invest with courage, when you invest with clarity, and when you invest with care, you can get so much more in return. We invest with purpose – and that’s how we’ve become a global market leader. Here, we grow by doing the right thing for the people we serve. And so can you.

We want to make success accessible to everyone. This is our opportunity. Let’s make it count.

Inclusion Statement

Vanguard’s continued commitment to diversity and inclusion is firmly rooted in our culture. Every decision we make to best serve our clients, crew (internally employees are referred to as crew), and communities is guided by one simple statement: “Do the right thing.”

We believe that a critical aspect of doing the right thing requires building diverse, inclusive, and highly effective teams of individuals who are as unique as the clients they serve. We empower our crew to contribute their distinct strengths to achieving Vanguard’s core purpose through our values.

When all crew members feel valued and included, our ability to collaborate and innovate is amplified, and we are united in delivering on Vanguard's core purpose.

Our core purpose: To take a stand for all investors, to treat them fairly, and to give them the best chance for investment success.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.