Compunnel
Cybersecurity Penetration Testing Engineer - Application And API Security
Compunnel, Charlotte, North Carolina, United States, 28245
Job Summary
The Cybersecurity Penetration Testing Engineer is responsible for conducting in-depth security testing of web applications, mobile applications, and APIs across business-critical platforms.
This role requires hands-on expertise in offensive security methodologies, vulnerability exploitation, and secure SDLC practices.
The engineer will collaborate with development, DevSecOps, and risk teams to identify, document, and support the remediation of security vulnerabilities.
Key Responsibilities
Penetration Testing & Vulnerability Assessment Perform manual and automated penetration testing on web, mobile, and API endpoints. Use Burp Suite Professional for intercepting, modifying, and exploiting HTTP/S traffic. Conduct source code-assisted testing to uncover logic flaws. Simulate attack scenarios using OWASP Top 10, SANS 25, and API Security Top 10 frameworks. Identify flaws in authentication, authorization, session management, and input validation. API Security Testing
Conduct REST and GraphQL API penetration testing, including JWT, OAuth, and token manipulation. Validate business logic vulnerabilities and parameter tampering across microservices. Use tools like Postman, Burp Suite, and OWASP ZAP for fuzzing and payload injection. Identify API schema misconfigurations, rate limiting issues, and data exposure risks. Offensive Security & Exploitation
Execute custom payloads and develop PoC exploits to demonstrate risk severity. Emulate attacker tactics using MITRE ATT&CK and CWE references. Perform targeted assessments on authentication bypass, privilege escalation, and deserialization flaws. Reporting & Remediation Support
Document findings with reproduction steps, impact analysis, and mitigation recommendations. Collaborate with development and DevSecOps teams for secure code fixes and retesting. Present risk-prioritized reports to technical and management stakeholders. Security Process & Continuous Improvement
Integrate testing results into CI/CD pipelines to support DevSecOps practices. Contribute to secure coding guidelines and developer training sessions. Stay updated on emerging attack trends, CVEs, and offensive security tools. Assist in developing internal scripts and automation workflows for testing efficiency. Required Qualifications
Bachelor’s or Master’s degree in Computer Science, Information Security, or related field. 5–8 years of experience in application or API penetration testing, with at least 3+ years in hands-on offensive testing. Strong report writing and presentation skills for technical and non-technical audiences. Proficiency in scripting languages such as Python, JavaScript, or Bash. Deep understanding of HTTP/HTTPS, REST, GraphQL, JSON, and XML protocols. Experience with vulnerability exploitation, reverse engineering, or red team engagements. Preferred Qualifications
Familiarity with API gateways (e.g., Kong, Apigee) and microservices architectures. Awareness of cloud-native security testing (AWS, Azure, GCP) and container security (Docker/Kubernetes). Experience with exploit development frameworks and C2 tools (e.g., Cobalt Strike, Empire). Certifications
OSCP / OSWE / OSEP (Offensive Security) Burp Suite Certified Practitioner (BSCP) eWPTX / eCPPT / CEH (Practical) GWAPT / GPEN / GCPN
Education:
Bachelors Degree
Certification:
Offensive Security Certified Professional , Offensive Security Web Expert , Burp Suite Certified Practitioner (BSCP) , eWPTX , eCPPT , GWAPT , GPEN , GCPN , CEH
The Cybersecurity Penetration Testing Engineer is responsible for conducting in-depth security testing of web applications, mobile applications, and APIs across business-critical platforms.
This role requires hands-on expertise in offensive security methodologies, vulnerability exploitation, and secure SDLC practices.
The engineer will collaborate with development, DevSecOps, and risk teams to identify, document, and support the remediation of security vulnerabilities.
Key Responsibilities
Penetration Testing & Vulnerability Assessment Perform manual and automated penetration testing on web, mobile, and API endpoints. Use Burp Suite Professional for intercepting, modifying, and exploiting HTTP/S traffic. Conduct source code-assisted testing to uncover logic flaws. Simulate attack scenarios using OWASP Top 10, SANS 25, and API Security Top 10 frameworks. Identify flaws in authentication, authorization, session management, and input validation. API Security Testing
Conduct REST and GraphQL API penetration testing, including JWT, OAuth, and token manipulation. Validate business logic vulnerabilities and parameter tampering across microservices. Use tools like Postman, Burp Suite, and OWASP ZAP for fuzzing and payload injection. Identify API schema misconfigurations, rate limiting issues, and data exposure risks. Offensive Security & Exploitation
Execute custom payloads and develop PoC exploits to demonstrate risk severity. Emulate attacker tactics using MITRE ATT&CK and CWE references. Perform targeted assessments on authentication bypass, privilege escalation, and deserialization flaws. Reporting & Remediation Support
Document findings with reproduction steps, impact analysis, and mitigation recommendations. Collaborate with development and DevSecOps teams for secure code fixes and retesting. Present risk-prioritized reports to technical and management stakeholders. Security Process & Continuous Improvement
Integrate testing results into CI/CD pipelines to support DevSecOps practices. Contribute to secure coding guidelines and developer training sessions. Stay updated on emerging attack trends, CVEs, and offensive security tools. Assist in developing internal scripts and automation workflows for testing efficiency. Required Qualifications
Bachelor’s or Master’s degree in Computer Science, Information Security, or related field. 5–8 years of experience in application or API penetration testing, with at least 3+ years in hands-on offensive testing. Strong report writing and presentation skills for technical and non-technical audiences. Proficiency in scripting languages such as Python, JavaScript, or Bash. Deep understanding of HTTP/HTTPS, REST, GraphQL, JSON, and XML protocols. Experience with vulnerability exploitation, reverse engineering, or red team engagements. Preferred Qualifications
Familiarity with API gateways (e.g., Kong, Apigee) and microservices architectures. Awareness of cloud-native security testing (AWS, Azure, GCP) and container security (Docker/Kubernetes). Experience with exploit development frameworks and C2 tools (e.g., Cobalt Strike, Empire). Certifications
OSCP / OSWE / OSEP (Offensive Security) Burp Suite Certified Practitioner (BSCP) eWPTX / eCPPT / CEH (Practical) GWAPT / GPEN / GCPN
Education:
Bachelors Degree
Certification:
Offensive Security Certified Professional , Offensive Security Web Expert , Burp Suite Certified Practitioner (BSCP) , eWPTX , eCPPT , GWAPT , GPEN , GCPN , CEH