Mphasis
Role description
Cybersecurity Penetration Testing Engineer - Application & API Security
Location - preferably in Charlotte, NC
Job Summary -
The
Penetration Testing Engineer
will be responsible for conducting in-depth
web application, mobile application, and API security testing
across business-critical platforms.
The role requires
hands-on expertise in Burp Suite , deep understanding of
offensive security methodologies , and the ability to identify, exploit, and document security vulnerabilities.
The engineer will work closely with development, DevSecOps, and risk teams to
ensure secure SDLC practices
and support remediation of discovered vulnerabilities.
Years of experience needed -
5-8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test
Key Responsibilities:
1. Penetration Testing & Vulnerability Assessment Perform
manual and automated penetration testing
on web, mobile, and API endpoints. Use
Burp Suite Professional
extensively for intercepting, modifying, and exploiting HTTP/S traffic. Conduct
source code-assisted testing
when applicable to identify deeper logic flaws. Simulate real-world attack scenarios using
OWASP Top 10, SANS 25, and API Security Top 10
frameworks. Identify authentication, authorization, session management, and input validation flaws. 2. API Security Testing
Perform
REST and GraphQL API penetration testing , including JWT, OAuth, and token manipulation. Validate
business logic vulnerabilities
and parameter tampering across microservices. Use tools such as
Postman, Burp Suite, and OWASP ZAP
for fuzzing, interception, and payload injection. Validate API schema misconfigurations, rate limiting, and data exposure issues. 3. Offensive Security & Exploitation
Execute
custom payloads and exploits
to demonstrate risk severity to stakeholders. Develop
proof-of-concept (PoC)
exploits to validate identified vulnerabilities. Emulate attacker tactics, techniques, and procedures (TTPs) from
MITRE ATT&CK
and
CWE
references. Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization. 4. Reporting & Remediation Support
Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations. Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes. Participate in
vulnerability triage
and
retesting
post-remediation. Present reports to technical and management stakeholders in clear, risk-prioritized language. 5. Security Process & Continuous Improvement
Integrate testing results into
CI/CD pipelines
where possible (DevSecOps enablement). Contribute to
secure coding guidelines
and training sessions for developers. Evaluate emerging attack trends, new CVEs, and offensive security tools to keep the testing framework current. Assist in developing internal scripts, extensions, or automation workflows for testing efficiency. Technical Skills
Core Tools & Techniques
Burp Suite Professional
- expert-level usage (Intruder, Repeater, Decoder, Extender). Familiarity with
OWASP ZAP ,
Nmap ,
Metasploit ,
SQLmap ,
DirBuster ,
Hydra , and
Ffuf . Deep understanding of
OWASP Top 10
(Web & API) and
CWE Top 25
vulnerabilities. Strong ability to identify and exploit
logic-based and authentication-related flaws . Programming & Scripting
Proficiency in at least one scripting language:
Python, JavaScript, or Bash . Experience writing small custom scripts or Burp extensions for advanced payloads. Understanding
HTTP/HTTPS ,
REST ,
GraphQL ,
JSON , and
XML
protocols. Offensive Security
Practical experience in
vulnerability exploitation ,
reverse engineering , or
red team
engagements. Familiarity with
exploit development frameworks ,
C2 tools (Cobalt Strike, Empire)
is a plus. Ability to simulate APT-style threat actor behavior and persistence mechanisms. API / Cloud Security (Preferred)
Knowledge of
API gateways (Kong, Apigee)
and
microservices architectures . Awareness of
cloud-native security testing (AWS, Azure, GCP)
and container security (Docker/Kubernetes). Qualifications
Bachelor's or Master's degree in Computer Science, Information Security, or related field. 5-8 years of total experience in
application or API penetration testing , with at least 3+ years in
hands-on offensive testing . Strong report writing and presentation skills for both technical and non-technical audiences. Preferred Certifications: OSCP / OSWE / OSEP
(Offensive Security) Burp Suite Certified Practitioner (BSCP) eWPTX / eCPPT / CEH (Practical) GWAPT / GPEN / GCPN
About Mphasis
Mphasis applies next-generation technology to help enterprises transform businesses globally. Customer centricity is foundational to Mphasis and is reflected in the Mphasis' Front2Back™ Transformation approach. Front2Back™ uses the exponential power of cloud and cognitive to provide hyper-personalized (C=X2C2TM=1) digital experience to clients and their end customers. Mphasis' Service Transformation approach helps 'shrink the core' through the application of digital technologies across legacy environments within an enterprise, enabling businesses to stay ahead in a changing world. Mphasis' core reference architectures and tools, speed and innovation with domain expertise and specialization are key to building strong relationships with marquee clients.
Equal Opportunity Employer:
Mphasis is an equal opportunity/affirmative action employer. We provide equal employment opportunities to applicants and existing associates and evaluate qualified candidates without regard to race, gender, national origin, ancestry, age, color, religious creed, marital status, genetic information, sexual orientation, gender identity, gender expression, sex (including pregnancy, breast feeding and related medical conditions), mental or physical disability, medical conditions military and veteran status or any other status or condition protected by applicable federal, state, or local laws, governmental regulations and executive orders. View the EEO in the law poster , view the EEO in the law supplement . To view the pay transparency nondiscrimination provision please click and to view the E-Verify posting click .
Mphasis is committed to providing reasonable accommodations to individuals with disabilities. If you need a reasonable accommodation because of disability to search and apply for a career opportunity, please send an email to accomodationrequest@mphasis.com and let us know your contact information and the nature of your request.
Cybersecurity Penetration Testing Engineer - Application & API Security
Location - preferably in Charlotte, NC
Job Summary -
The
Penetration Testing Engineer
will be responsible for conducting in-depth
web application, mobile application, and API security testing
across business-critical platforms.
The role requires
hands-on expertise in Burp Suite , deep understanding of
offensive security methodologies , and the ability to identify, exploit, and document security vulnerabilities.
The engineer will work closely with development, DevSecOps, and risk teams to
ensure secure SDLC practices
and support remediation of discovered vulnerabilities.
Years of experience needed -
5-8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test
Key Responsibilities:
1. Penetration Testing & Vulnerability Assessment Perform
manual and automated penetration testing
on web, mobile, and API endpoints. Use
Burp Suite Professional
extensively for intercepting, modifying, and exploiting HTTP/S traffic. Conduct
source code-assisted testing
when applicable to identify deeper logic flaws. Simulate real-world attack scenarios using
OWASP Top 10, SANS 25, and API Security Top 10
frameworks. Identify authentication, authorization, session management, and input validation flaws. 2. API Security Testing
Perform
REST and GraphQL API penetration testing , including JWT, OAuth, and token manipulation. Validate
business logic vulnerabilities
and parameter tampering across microservices. Use tools such as
Postman, Burp Suite, and OWASP ZAP
for fuzzing, interception, and payload injection. Validate API schema misconfigurations, rate limiting, and data exposure issues. 3. Offensive Security & Exploitation
Execute
custom payloads and exploits
to demonstrate risk severity to stakeholders. Develop
proof-of-concept (PoC)
exploits to validate identified vulnerabilities. Emulate attacker tactics, techniques, and procedures (TTPs) from
MITRE ATT&CK
and
CWE
references. Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization. 4. Reporting & Remediation Support
Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations. Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes. Participate in
vulnerability triage
and
retesting
post-remediation. Present reports to technical and management stakeholders in clear, risk-prioritized language. 5. Security Process & Continuous Improvement
Integrate testing results into
CI/CD pipelines
where possible (DevSecOps enablement). Contribute to
secure coding guidelines
and training sessions for developers. Evaluate emerging attack trends, new CVEs, and offensive security tools to keep the testing framework current. Assist in developing internal scripts, extensions, or automation workflows for testing efficiency. Technical Skills
Core Tools & Techniques
Burp Suite Professional
- expert-level usage (Intruder, Repeater, Decoder, Extender). Familiarity with
OWASP ZAP ,
Nmap ,
Metasploit ,
SQLmap ,
DirBuster ,
Hydra , and
Ffuf . Deep understanding of
OWASP Top 10
(Web & API) and
CWE Top 25
vulnerabilities. Strong ability to identify and exploit
logic-based and authentication-related flaws . Programming & Scripting
Proficiency in at least one scripting language:
Python, JavaScript, or Bash . Experience writing small custom scripts or Burp extensions for advanced payloads. Understanding
HTTP/HTTPS ,
REST ,
GraphQL ,
JSON , and
XML
protocols. Offensive Security
Practical experience in
vulnerability exploitation ,
reverse engineering , or
red team
engagements. Familiarity with
exploit development frameworks ,
C2 tools (Cobalt Strike, Empire)
is a plus. Ability to simulate APT-style threat actor behavior and persistence mechanisms. API / Cloud Security (Preferred)
Knowledge of
API gateways (Kong, Apigee)
and
microservices architectures . Awareness of
cloud-native security testing (AWS, Azure, GCP)
and container security (Docker/Kubernetes). Qualifications
Bachelor's or Master's degree in Computer Science, Information Security, or related field. 5-8 years of total experience in
application or API penetration testing , with at least 3+ years in
hands-on offensive testing . Strong report writing and presentation skills for both technical and non-technical audiences. Preferred Certifications: OSCP / OSWE / OSEP
(Offensive Security) Burp Suite Certified Practitioner (BSCP) eWPTX / eCPPT / CEH (Practical) GWAPT / GPEN / GCPN
About Mphasis
Mphasis applies next-generation technology to help enterprises transform businesses globally. Customer centricity is foundational to Mphasis and is reflected in the Mphasis' Front2Back™ Transformation approach. Front2Back™ uses the exponential power of cloud and cognitive to provide hyper-personalized (C=X2C2TM=1) digital experience to clients and their end customers. Mphasis' Service Transformation approach helps 'shrink the core' through the application of digital technologies across legacy environments within an enterprise, enabling businesses to stay ahead in a changing world. Mphasis' core reference architectures and tools, speed and innovation with domain expertise and specialization are key to building strong relationships with marquee clients.
Equal Opportunity Employer:
Mphasis is an equal opportunity/affirmative action employer. We provide equal employment opportunities to applicants and existing associates and evaluate qualified candidates without regard to race, gender, national origin, ancestry, age, color, religious creed, marital status, genetic information, sexual orientation, gender identity, gender expression, sex (including pregnancy, breast feeding and related medical conditions), mental or physical disability, medical conditions military and veteran status or any other status or condition protected by applicable federal, state, or local laws, governmental regulations and executive orders. View the EEO in the law poster , view the EEO in the law supplement . To view the pay transparency nondiscrimination provision please click and to view the E-Verify posting click .
Mphasis is committed to providing reasonable accommodations to individuals with disabilities. If you need a reasonable accommodation because of disability to search and apply for a career opportunity, please send an email to accomodationrequest@mphasis.com and let us know your contact information and the nature of your request.