Job Description
Independently perform web, API, mobile, and infrastructure penetration tests
Clearly communicate technical and business risk to developers and leadership
Own testing quality from execution through reporting, remediation validation, and retesting
Rate will be between $9.00-$13.00 an hour depending on skills and experience
We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.
Required Skills & Experience
REQUIRED EXPERIENCE
4–7 years of experience in Application Security, including web applications, mobile applications, infrastructure, and API penetration testing
ESSENTIAL SKILLS
Application & API Security
Strong hands-on experience performing manual web application penetration testing
Deep knowledge of OWASP Web, API, and Mobile Top 10 vulnerabilities
Experience following OWASP WSTG and structured testing methodologies
Ability to perform application mapping and attack surface discovery
Strong skills in authentication and authorization testing
Experience testing input validation and error handling
Ability to validate both client-side and server-side attack vectors
Hands-on experience testing RESTful APIs in authenticated and unauthenticated contexts
Ability to test authorization controls, role separation, token handling, API keys, OAuth and JWT misuse
Experience testing rate limiting, pagination, and business logic abuse
Ability to integrate API testing into broader application security assessments
Experience testing mobile applications with backend API dependency awareness
Strong understanding of client-side versus server-side trust boundaries
Infrastructure & Network Security
Hands-on experience performing internal and external infrastructure penetration tests
Knowledge of network service enumeration, including SMB, RDP, LDAP, MSSQL, HTTP/S
Experience identifying firewall, VPN, cloud endpoint, and network misconfigurations
Strong understanding of Active Directory attacks, including Kerberoasting, AS-REP roasting, and privilege escalation
Ability to validate lateral movement paths, credential reuse, weak permissions, and privilege escalation vectors
Experience aligning infrastructure testing with PTES methodology
Strong understanding of all PTES phases
Penetration Testing Execution & Reporting
Ability to scope, execute, and document full-cycle penetration tests
Experience validating exploitability and business impact, not just scanner findings
Ability to combine automated scanning with manual exploitation for accurate results
Experience performing retesting and validating remediation closure
Proficiency with industry-standard tools, including Burp Suite (manual testing, extensions, API testing), Nmap, and SQLmap
Strong experience producing clear, actionable penetration test reports
Experience tracking findings through the full remediation lifecycle
Secure Development & Collaboration
Experience working within a Secure Software Development Lifecycle (SSDLC)
Ability to perform architecture reviews and threat modeling (e.g., STRIDE)
Experience supporting static, dynamic, and manual security testing efforts
Ability to partner with development teams during design, build, and release phases
Ability to support leadership discussions on application and infrastructure risk posture and trends
Advanced Application Exploitation
Proven ability to identify complex business logic flaws across web, API, and mobile applications
Experience chaining low- and medium-severity findings into high-impact attack paths
Advanced web exploitation experience, including SSRF, deserialization, cache poisoning, and template injection
Deep familiarity with microservices-based and API-driven architectures
Experience testing APIs protected by OAuth2, JWTs, service tokens, and API gateways
Ability to advise teams on secure API design patterns, not just vulnerabilities
Mobile & Client-Side Security
Experience performing manual mobile security testing beyond automated scanners
Ability to identify client-side trust issues versus backend enforcement gaps
Risk Communication & Leadership
Strong executive-level communication skills, including attack path storytelling and business impact translation
Ability to correlate application vulnerabilities with infrastructure weaknesses
Experience validating attack paths involving network misconfigurations, privilege escalation, and lateral movement
Understanding of how cloud segmentation, firewalling, and network controls affect application exposure
Experience embedding security testing into SSDLC and CI/CD pipelines
Ability to guide teams on threat modeling, secure design decisions, and pre-production security gates
Comfort leading remediation discussions and constructively challenging weak fixes
Experience mentoring junior AppSec or penetration testing team members
Experience creating and reviewing penetration testing reports
Programming experience (Python or similar)
Nice to Have Skills & Experience
Certifications & Advanced Expertise
One or more relevant certifications such as OSCP, CRTO, OSWP, OSEP, PNPT, or similar
Advanced Active Directory attack path knowledge, including delegation abuse, DCsync, DCshadow, and BloodHound analysis
Experience reducing and validating attack paths
Cloud & Identity Security
Practical offensive security experience in Azure or Microsoft 365 (Entra ID) and/or GCP
Experience with identity abuse, misconfigured roles and policies, workload identity takeover, OAuth application abuse, and cross-tenant risks
Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.