Senior Penetration Tester

If you’re passionate about security and privacy, and want to use your offensive security skills to help safeguard private, uncensored access to the internet for millions of customers, we’d love to speak with you. 

You’re a natural at solving problems and identifying security weaknesses with deep expertise in application security and infrastructure, and you have experience working on teams that know how to remediate vulnerabilities you identified based on your recommendations. You aren’t afraid of change, and you ask the questions that need to be asked. A lack of clarity is something you can’t settle for, and you voice your concerns when the balance between effort and impact seems off. 

As someone with an offensive security mindset, you know there are always vulnerabilities waiting to be found, and you’re naturally collaborative to help find and address them. You’re always willing to hear ideas from your colleagues. Likewise, you're willing to share your own knowledge and mentor others. 

As a senior individual contributor on our Offensive Security team, you’ll have a broad set of responsibilities including:

• →Prepare and execute penetration testing projects of our assets, services and applications, either individually or as part of a team with members across various geographic locations such as Singapore, Hong Kong, London, Germany and Bucharest.
• →We operate across a wide range of technologies, from client facing applications written in various languages for various platforms, to backend infrastructure and services, and router firmware. We provide an environment where you’ll be exposed to a wide range of technologies that form our tech stack.
• →You’ll need a strong white-box testing methodology and the ability to identify bugs in source code to go along with good organization and communication skills when delivering penetration tests of our applications and services.
• →Work closely with the engineering teams to provide expert guidance and advice on remediation of identified vulnerabilities
• →Verify the existence of newly discovered vulnerabilities in our software stack, including triaging and verifying bugs from our bug bounty program and automated scanners, and develop novel attack vectors based on these 
• →Manage and support penetration testing services performed by outside vendors, from project inception, scoping, completion of the assessment, and finally, working with engineering teams to have the identified issues remediated
• →Bring creative solutions to fruition for solving some of the complex security challenges faced by our organization, and provide security reviews on technical design documents for our solutions. Identify areas where automated testing can be done, then develop, maintain and continuously improve tools to support these automated tests
• →Mentor, guide and support other team members using your strong technical knowledge
• →Identify inefficiencies in the team’s workflow, suggest solutions and drive them to completion

This role focuses strongly on your ability to perform penetration testing (with a specialization in either desktop and server applications, infrastructure, and mobile apps, depending on your experience). To be a good fit for this role, you should be able to read source code in various languages, identify security weaknesses and vulnerabilities in various platforms and efficiently deliver security assessment projects while mentoring junior team members. Networking knowledge is critical to succeed in this role.

• Identify vulnerabilities, misconfigurations and deviations from best practices within applications by means of manual source code review, static code analysis, and/or fuzzing using Burp Suite, AFL or similar tooling. We expect vulnerabilities to be identified and exploited up to the levels of OSCP, OSWE or OSED
• Analyze application binaries, shared libraries, and browser extensions through the use of debuggers and reverse engineering tools to understand the components of the application and assess their security posture, as well as how they interact with the underlying operating system
• Experience writing scripts in languages such as: Python, bash, or Golang to showcase your proof of concepts
• Experience writing automation workflows such as Github Actions
• Provide mentorship and guidance to other team members and share knowledge and findings with them
• Good knowledge of:
• TCP/IP, IDS/IPS, firewalls, WAF, and web content filtering
• Cryptography: PGP, SSH, PKI

• Your capacity to consistently identify security vulnerabilities and provide sound remediation strategies alongside our engineering teams is key to success in this role
• You’ll be assigned as a security lead across a number of our projects, and will need to mentor more junior team members and help them grow their skillset
• Your ability to design technical solutions while staying ahead of industry trends will help drive continued security improvement, especially when supporting secure engineering designs

Finally, candidates with strong experience in manual source code review and vulnerability research, or a strong track record in this area (e.g. CTFs, bug bounty program activity, published CVEs) are preferred.

We believe in fostering an environment that empowers decision-making at all levels. Our culture is rooted in the inverted pyramid approach, where the engineers, who have a deep understanding of the product and the customers, are the ones who have the knowledge and the authority to make impactful decisions. 

• We prioritize treating every team member with respect and promote open and constructive feedback, ensuring a culture of trust and transparency
• We encourage learning through experimentation and provide a safe space for everyone to learn from their experiences
• Our managers are dedicated to facilitating career growth and creating an environment that attracts and supports talented engineers

#LI-PS1

• At the moment, we do not sponsor visas in the EU. For Hong Kong, we require at least two years of working experience and a university degree in a related field. For Singapore and the UK, we can only sponsor visas for mid-career or above.
• Please upload your resume as a PDF and do not include any salary or compensation information in it.

ExpressVPN is one of the world’s leading providers of online privacy and security services for consumers. Started in 2009, we’ve grown to have millions of active paying customers, a team of more than 700 people worldwide, and a brand recognized by hundreds of millions of people in 18 languages and more than a hundred countries. We see huge growth in our industry, and are gaining market share through strong execution.