Mid-Level Application Security Tester

Join a dynamic and mission-driven cybersecurity team as a full-time Application Penetration Tester II in Washington, DC, where your expertise will help large organizations proactively reduce risks. If you're passionate about securing modern web and mobile applications, this hands-on technical role is perfect for you. What You'll Be Doing: Leading the technical testing efforts of web and mobile applications through manual penetration testing, vulnerability scanning, and validation of security controls. Conducting source code reviews to identify security vulnerabilities and providing actionable consulting support based on your findings. Enhancing CI/CD pipeline processes by integrating testing methodologies using both static and dynamic analysis tools. Utilizing adversarial tradecraft and threat intelligence to model real-world attack scenarios and assess control effectiveness. Creating concise and actionable reports for both technical and non-technical audiences. Shaping new assessments and internal tools drawing from past test results and emerging requirements. Staying current by engaging in ongoing research, developing innovative testing techniques, and continuously improving your skill set. What We're Looking For: 3+ years of experience in application security, including penetration testing or secure code reviews. A strong foundation in application, infrastructure, and system-level security. Experience in both Windows and *nix environments. Proficiency in reading and writing code in various languages (e.g., Python, Java, Bash, C#). Familiarity with tools like Burp Suite Pro and platforms for SAST, DAST, and SCA (e.g., Checkmarx, OWASP ZAP, Fortify, Veracode). Excellent communication skills for breaking down findings and collaborating effectively across teams. Bonus Points For: Experience in reverse-engineering mobile applications or overcoming anti-emulator/obfuscation protections. Background in container or cloud security (Docker, Kubernetes, AWS, Azure). Industry certifications such as OSCP, GWAPT, GPEN, or similar. Public contributions to the community (e.g., bug bounties, open-source projects, speaking at conferences). Familiarity with API testing and mobile platform security (iOS/Android). Applicants must be authorized to work in the U.S. on a full-time basis as sponsorship is not available at this time.