Overview

Role: Penetration tester/Pen tester

Location: London, UK (Hybrid)

Inside IR35

Contract: 6 months +

The Role

Performs manual and automated penetration tests on networks, systems, web applications, and endpoints. Identifies, exploits, and documents security vulnerabilities to assess an organization's risk exposure. Develops detailed reports with findings, impact analysis, and actionable remediation recommendations. Simulates real–world attacks to test the effectiveness of existing security controls and incident response. Keeps up to date with the latest vulnerabilities, exploit techniques and penetration testing tools in general and more specific to an airline industry, transportation sector.

Your responsibilities

• Performing IaC Automation and ServiceNow integrations to automate AWS Service catalogues.
• Planning and conducting the full–scope penetration tests of applications, APIs, internal infrastructure, networks, cloud environments
• Perform internal/external network testing, AD enumeration and abuse, privilege escalation
• Identifying potential weaknesses in systems, networks, and applications through various methods, including automated scanning and manual analysis.
• Employing the techniques and tools that malicious hackers might use to test the resilience of systems and identify vulnerabilities.
• Identify flaws such as insecure authentication, authorization bypass, input validation issues, cloud misconfigurations, AD misuses, etc.
• Create detailed reports, providing actionable advice to clients on how to address the identified vulnerabilities and improve their security posture; outlining identified vulnerabilities, their potential impact, and recommended remediation steps: including executive summaries and technical findings
• Collaborate with development, cloud, and infrastructure teams on remediation
• Test and review cloud security (AWS/Azure/GCP): IAM, storage, networking, etc.

Your profile

Essential skills/knowledge/experience:

• Strong application security background (OWASP Top 10, API security)
• 3–7+ years in penetration testing, red teaming, or offensive security
• Proven experience conducting end–to–end pentests (internal, external, cloud, AD, web app, API)
• Familiarity with common pentest reporting formats (CVSS, MITRE ATT&CK mapping)
• Experience working in both waterfall and agile environments
• Comfort with NDA–restricted, compliance–driven, or sensitive environments
• Strong reporting skills for both technical and executive audiences
• Familiarity with cryptographic principles and techniques.
• Ability to write scripts (Python, Shell, Bash) for automation and exploit development.
• Infrastructure: Windows, Linux, Active Directory, Entra ID/Azure AD, VPNs, VLANs
• Cloud Platforms: AWS, Azure, GCP
• Security Tools:
• o Recon & Infra: Nmap, Nessus, Masscan, Amass, Recon–ng
• o Exploitation: Metasploit, ExploitDB, Cobalt Strike, Empire, Mimikatz
• o Web App Tools: Burp Suite, ZAP, Nikto, SQLmap
• o Cloud Tools: ScoutSuite, CloudSploit, Pacu

Desirable skills/knowledge/experience

• Exceptional Customer engagement and reporting skills.
• Exceptional analytical, problem–solving, and troubleshooting abilities.
• Proven use of modern security tooling in real–world projects
• Experience in agile delivery teams and cross–functional collaboration
• Comfortable documenting technical findings and engaging in remediation cycles

Nice to Have Certifications (not mandatory)

• OSCP, OSWA, OSEP, OSCE, CRTP, CRTE, GPEN, GXPN, eCPPT
• AWS or Azure Security certs
• Advanced AD/cloud/red teaming trainings (eg, SANS, HackTheBox Pro Labs)