Manual Application Penetration Tester (Web & API)
Job Title:
Manual Application Penetration Tester (Web & API)
Contract Type:
Contract
Role Overview
We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation.
The ideal candidate can independently execute penetration testing engagements, clearly articulate findings to both technical and non-technical audiences, and guide remediation efforts.
Key Responsibilities
• Perform manual application penetration testing of:
• Web applications
• REST & SOAP APIs
• Mobile applications (iOS/Android – nice to have)
• Thick client applications (where applicable)
• Conduct business logic testing, threat modeling, and application architecture reviews
• Identify and exploit vulnerabilities including (but not limited to):
• IDOR / BOLA
• Authentication & authorization flaws
• Session management issues
• Injection flaws (SQLi, XSS, XXE, etc.)
• Logic flaws missed by automated scanners
• Perform objective-based and abstract penetration testing engagements
• Develop and demonstrate proof-of-concept (PoC) exploits
• Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.)
• Present findings via live demos, written reports, and client readouts
• Clearly communicate risks, impact, and remediation guidance
• Work independently with minimal oversight while meeting delivery timelines
Required Qualifications
• 5+ years of recent experience in manual application penetration testing
• Strong experience testing:
• Web applications
• APIs (REST / SOAP)
• Hands-on expertise with Burp Suite Pro
• Proven ability to perform manual exploitation (not scanner-only testing)
• Experience communicating results to both technical and non-technical stakeholders
• Ability to lead remediation discussions and retesting efforts
• Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience
Preferred Qualifications
• Mobile application penetration testing (iOS / Android)
• Experience with tools such as:
• Netsparker
• OWASP ZAP
• Postman / SoapUI
• Experience with OAuth, JWT, and modern authentication mechanisms
• Ethical hacking certifications (preferred, not required):
• GWAPT
• OSWE
• OSWA
• CREST
Nice-to-Have Experience
• Threat modeling frameworks (STRIDE, PASTA, etc.)
• Secure SDLC / DevSecOps exposure
• Client-facing consulting or enterprise security engagements
Apply tot his job
Apply To this Job
Manual Application Penetration Tester (Web & API)
Contract Type:
Contract
Role Overview
We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation.
The ideal candidate can independently execute penetration testing engagements, clearly articulate findings to both technical and non-technical audiences, and guide remediation efforts.
Key Responsibilities
• Perform manual application penetration testing of:
• Web applications
• REST & SOAP APIs
• Mobile applications (iOS/Android – nice to have)
• Thick client applications (where applicable)
• Conduct business logic testing, threat modeling, and application architecture reviews
• Identify and exploit vulnerabilities including (but not limited to):
• IDOR / BOLA
• Authentication & authorization flaws
• Session management issues
• Injection flaws (SQLi, XSS, XXE, etc.)
• Logic flaws missed by automated scanners
• Perform objective-based and abstract penetration testing engagements
• Develop and demonstrate proof-of-concept (PoC) exploits
• Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.)
• Present findings via live demos, written reports, and client readouts
• Clearly communicate risks, impact, and remediation guidance
• Work independently with minimal oversight while meeting delivery timelines
Required Qualifications
• 5+ years of recent experience in manual application penetration testing
• Strong experience testing:
• Web applications
• APIs (REST / SOAP)
• Hands-on expertise with Burp Suite Pro
• Proven ability to perform manual exploitation (not scanner-only testing)
• Experience communicating results to both technical and non-technical stakeholders
• Ability to lead remediation discussions and retesting efforts
• Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience
Preferred Qualifications
• Mobile application penetration testing (iOS / Android)
• Experience with tools such as:
• Netsparker
• OWASP ZAP
• Postman / SoapUI
• Experience with OAuth, JWT, and modern authentication mechanisms
• Ethical hacking certifications (preferred, not required):
• GWAPT
• OSWE
• OSWA
• CREST
Nice-to-Have Experience
• Threat modeling frameworks (STRIDE, PASTA, etc.)
• Secure SDLC / DevSecOps exposure
• Client-facing consulting or enterprise security engagements
Apply tot his job
Apply To this Job