**Job Title & Location** **Remote Penetration Tester (Remote)** – flexible hours aligned with our core schedule in **Eagle Pass, Texas** Our product line just hit the market‑ready milestone, and the surge of external integrations has opened a new attack surface that we need to lock down, fast. That’s why we’re expanding the red‑team now – to make sure the security we promise to customers in **Eagle Pass, Texas** and beyond actually works. --- ## The Reality of This Role When you join our security squad, you’ll be stepping into a team that grew from five engineers to fifteen in the last twelve months, and we’re still adding more talent to keep up with the 30 % month‑over‑month increase in inbound audit requests. Our recent Series B round gave us the runway to launch three SaaS modules in the next quarter, each exposing new APIs that need to be vetted before any public release. You’ll be reporting to Maya, our Lead Application Security Engineer, who spends her mornings in **Eagle Pass, Texas** reviewing threat models and her afternoons on calls with the product managers in **Eagle Pass, Texas**. Your day‑to‑day will be a blend of hands‑on testing, writing clear remediation notes, and pushing back on design decisions that could become security liabilities. Collaboration is async but far from isolated. We run a weekly “War Room” on Thursday mornings, where the whole penetration team – five senior testers, two junior analysts, and a rotating security‑ops liaison – breaks down the latest findings from the past sprint. We also have a “bug‑bounty triage” channel that streams directly into our JIRA board, so the feedback loop from external researchers reaches us within 48 hours. The biggest challenge? Balancing depth and speed. Our product releases happen on a two‑week cadence, meaning you’ll often have a 72‑hour window to complete a full‑stack engagement from reconnaissance to final report. It’s intense, but the sense of seeing a vulnerability patched before a customer ever sees it is why we love the work. --- ## What You’ll Actually Do - **Own** end‑to‑end penetration engagements for our web, mobile, and cloud services, delivering a full report within the SLA of 72 hours for each sprint. - **Execute** reconnaissance with Nmap, Masscan, and Amass, then map the attack surface in real‑time using Burp Suite and OWASP ZAP. - **Develop** custom exploit scripts in Python or PowerShell to validate findings, and integrate them into our CI pipeline via GitLab CI. - **Run** credential‑dumping and lateral‑movement simulations on our AWS and Azure environments using BloodHound, Cobalt Strike, and Metasploit, measuring time‑to‑pivot and reporting the median of 4 hours across recent engagements. - **Automate** routine scans with Nessus and OpenVAS, scheduling them nightly and tracking coverage metrics; we aim for 95 % of our assets scanned at least once per week. - **Collaborate** with the DevSecOps crew in **Eagle Pass, Texas** to embed security controls directly into Docker images and Helm charts, reducing remediation time by 30 % over the last quarter. - **Mentor** two junior penetration analysts, reviewing their findings, guiding their tool selection, and co‑authoring a “Pentest Playbook” that now lives in our internal Confluence space. - **Present** findings to product owners and executives in **Eagle Pass, Texas** during sprint review meetings, translating complex technical detail into business‑impact narratives that drive immediate action. - **Track** key performance indicators: average time‑to‑report (target < 48 hours), vulnerability remediation rate (target > 85 % within the sprint), and false‑positive rate (target < 5 %). - **Participate** in the monthly bug‑bounty triage, reviewing external submissions, reproducing them in a sandbox, and assigning severity levels using CVSS v3.1. - **Contribute** to our open‑source security tooling, pushing patches to a public repository on GitHub that currently has 1.2k stars and is referenced in three industry‑wide talks we gave in **Eagle Pass, Texas** last year. - **Stay current** with the latest threat intel feeds—AlienVault OTX, MITRE ATT&CK, and emerging CVEs—feeding relevant findings back into our threat‑modeling sessions every week. --- ## Skills That Truly Matter **Must‑have** - 3+ years of hands‑on penetration testing experience (red‑team or consultancy) with a track record of full‑cycle engagements. - Proficiency with Metasploit, Burp Suite, Nmap, Wireshark, and Kali Linux. - Strong scripting skills in Python, Bash, or PowerShell for proof‑of‑concept development. - Familiarity with cloud security testing on AWS and Azure, including IAM, S3 bucket misconfigurations, and container security. - Ability to write clear, concise reports that include CVSS scores, risk ratings, and remediation steps. **Nice‑to‑have** - Certifications such as OSCP, OSCE, or GPEN (not a deal‑breaker, but will open doors). - Experience with Cobalt Strike or BloodHound for post‑exploit activities. - K