Senior Offensive Security Engineer (Web App)

Secure Yeti is seeking an experienced Offensive Security Engineer to join our agile, high-performing security consulting team. You’ll work on challenging, impactful engagements where security is a priority from the start, collaborating with some of the best in the industry. 

Responsibilities 

• Lead and execute penetration tests targeting web applications and cloud environments, assessing application-layer vulnerabilities, cloud services, and identity management. 

• Perform full-spectrum web and cloud offensive security operations, including reconnaissance, exploitation, post-exploitation, and data exfiltration, while applying OPSEC techniques to remain undetected. 

• Participate in threat modeling and secure SDLC activities, collaborating with development teams to identify vulnerabilities and design mitigations. 

• Develop, adapt, and maintain web-focused exploits, payloads, and tooling; leverage commercial and open-source tools such as Burp Suite and Nmap, and create custom solutions as needed. 

• Stay ahead of emerging threats, adversary tactics, techniques, and procedures (TTPs) through continuous research, training, and tradecraft development. 

• Mentor junior team members, share knowledge, and contribute to internal capability building. 

• Represent Secure Yeti at industry events and conferences, promoting our expertise and engaging with the security community. 

Requirements 

• Bachelor’s degree in Information Technology, Computer Science, or a related field. 

• 5+ years of hands-on experience conducting offensive security assessments, specializing in web application penetration testing with emphasis on manual testing and identifying business logic flaws. 

• Experience with cloud security testing, with required expertise in AWS and Azure/Active Directory. 

• Deep expertise in exploiting common web application vulnerabilities, including input validation, access control, session management, XSS, SQL injection, and server misconfigurations. 

• Experience performing secure code reviews to identify vulnerabilities and enforce best practices. 

• Proven ability to manage multiple client engagements in a fast-paced environment while fostering strong client relationships through clear communication, professionalism, and expert guidance. 

• Committed to integrity with the ability to pass a federal background check, drug test, credit check, and maintain a National Security Clearance. 

• Ability to produce clear, accurate reports and executive briefings, delivering actionable remediation recommendations. 

• Strong collaborative mindset with an emphasis on humility, inclusivity, knowledge sharing, and constructive communication. 

• Consistently demonstrates professional conduct in industry settings including conferences, events, and online platforms, upholding company values and safeguarding confidential information. 

• Availability during standard business hours (8:00 AM – 5:00 PM CST) with flexibility for urgent client needs. 

Nice to Have 

• Experience conducting internal and external network penetration tests, including identifying and exploiting misconfigurations, weak protocols, and insecure network services. 

• Experience testing additional cloud and SaaS platforms such as M365 and GCP, with the ability to identify misconfigurations, security gaps, and remediation opportunities. 

• Experience in programming/scripting (e.g., Python, JavaScript, C#, PowerShell, Bash) for tool development, automation, and payload customization. 

• Familiarity with security testing standards and frameworks (e.g., NIST 800-53, OWASP, MITRE ATT&CK). 

• Experience conducting firewall configuration reviews to assess rulesets and validate compliance with security standards. 

• Certifications such as GPEN, GXPN, GWAPT, or OSCP. 

Benefits: 

• 12 paid holidays annually 

• Flexible time off policy 

• 401(k) with up to 5% company match 

• Health, vision, dental, ST/LT disability, and life insurance 

Salary: Base Pay $130-$170k (based on skillset and experience)