Penetration Testing
Indexed description
Location: Hybrid – Princeton, NJ | Clifton, NJ | Berwyn, PA | Austin, PA | Boston, MA | Quincy, MA
Salary Range: $185,000 - $195,000 + Performance Bonus
Department: Threat Intelligence & Assurance
Role Summary
We is seeking a highly technical Manager to lead our internal Penetration Testing Team. Reporting to senior leadership within the Threat Intelligence and Assurance function, this role is a hybrid of technical leadership and program ownership. You will be responsible for building, mentoring, and maturing a team of elite testers tasked with securing one of the world's most complex financial infrastructures.
This is not a "check-the-box" compliance role. We require an engineering-driven approach to offensive security. You will establish rigorous, evidence-based testing standards across applications, networks, APIs, and multi-cloud environments. Your leadership will ensure that testing outputs are regulator-ready, actionable, and directly translate into measurable risk reduction for the enterprise.
What You Will Be Responsible For
Team Leadership & Mentorship
- Lead, mentor, and develop a team of penetration testers, fostering deep technical expertise and continuous skill development.
- Cultivate a "Purple Team" mindset, ensuring testers collaborate effectively with defenders to improve detection and response capabilities.
- Manage resource allocation, capacity planning, and professional development roadmaps to retain top-tier talent.
- Own the lifecycle of the penetration testing program, including methodologies (e.g., OWASP, PTES, MITRE ATT&CK), tooling selection, QA practices, and reporting standards.
- Establish and enforce engineering-centric testing standards to ensure consistency, reproducibility, and depth across internal and 3rd-party assessments.
- Develop a risk-based prioritization model to ensure testing focuses on critical assets and emerging threat vectors.
- Drive delivery of high-quality, hands-on testing across diverse landscapes:
- External/Internal Network: Bypassing firewalls, routers, switches, and segmentation controls.
- Web Applications & APIs: Deep-dive assessments of RESTful, GraphQL, and SOAP APIs.
- Cloud Platforms: Complex attack path identification in AWS, Azure, and GCP (IaaS, PaaS, SaaS).
- Serve as the technical escalation point, assisting the team with complex exploitation chains, privilege escalation, and lateral movement techniques.
- Oversee and coordinate testing performed by external providers, including scoping, technical validation of results, and ensuring adherence to State Street’s quality standards.
- Ensure outputs are "Audit-Ready": Clear documentation, evidence-based findings, and reports that tie technical vulnerabilities to business impact and regulatory risk (e.g., FedRAMP, GLBA, NYDFS).
- Partner with engineering, infrastructure, and architecture teams to drive effective remediation, validate fixes, and improve secure design/development practices.
- Spearhead the integration of emerging technologies into the program, specifically focusing on AI/LLM security. This includes testing enterprise AI deployments for prompt injection, model abuse, data leakage, and insecure output handling.
- Evaluate and integrate AI-assisted tools to automate reconnaissance, fuzzing, and vulnerability validation to increase team throughput.
- Track, analyze, and communicate program KPIs (e.g., Mean Time to Remediate, vulnerability recurrence rates, coverage percentage) to senior leadership, translating technical jargon into clear business risk posture.
- Leadership via Influence: Ability to lead without explicit authority; building high-trust teams and developing future leaders.
- Risk-Based Decision Making: Prioritizing what matters most in a highly regulated, complex environment.
- Strategic Perspective: Connecting a technical finding (e.g., a buffer overflow) to enterprise risk outcomes (e.g., data breach impact).
- Executive Communication: Ability to present complex findings to Board-level stakeholders and Engineering VPs.
- Curiosity: A passion for continuous learning, especially in offensive AI/LLM security and cloud-native attacks.
- Ownership: A "Bias for Action" - holding self and team accountable for driving issues through to closure.
As a Manager, You Will Be Expected To Possess Deep Familiarity With The Following Technologies And Tools, And Guide Your Team In Their Effective Utilization
- Operating Systems & Virtualization: Kali Linux, Windows Server/Linux (RHEL, Ubuntu), VMware, ESXi.
- Programming & Scripting (for automation & exploit dev): Python, Go, Bash, PowerShell, Ruby (Metasploit), JavaScript/Node.js.
- Cloud & Container Security:
- AWS: EC2, S3, IAM, Lambda, VPC, EKS.
- Azure: Entra ID (Azure AD), Azure Storage, Key Vault, AKS.
- GCP: Compute Engine, Cloud Storage, IAM.
- Container/Orchestration: Docker, Kubernetes, Helm, Istio.
- Network Security & Exploitation:
- Tools: Burp Suite Pro, Nmap, Wireshark, Cobalt Strike, Metasploit, BloodHound/SharpHound, Impacket, Responder, CrackMapExec.
- Protocols: TCP/IP, LDAP, Kerberos, NTLM, SMB, RDP, DNS, SNMP.
- Application Security:
- SAST/DAST: Synopsys, Checkmarx, Fortify, OWASP ZAP.
- API Testing: Postman, Insomnia, Burp Suite (BApps), custom Python scripts for fuzzing.
- Frameworks: React, Angular, .NET Core, Spring Boot (familiarity for reviewing code).
- IAM & Active Directory: Deep knowledge of AD attack paths, Kerberos delegation, Golden Ticket, DCSync, and Azure/Entra ID misconfigurations.
- CI/CD & DevSecOps: Jenkins, GitLab CI, Azure DevOps – understanding of pipeline security (e.g., injecting malicious code, manipulating artifacts).
- Vulnerability Management: Integration with tools like Tenable/Nessus, Rapid7, and Jira for ticketing/remediation tracking.
- Experience: 8+ years in offensive security (Penetration Testing/Red Teaming) with at least 5 years in highly regulated sectors (Finance, Healthcare, Government). 2+ years of direct team management or Technical Lead experience preferred.
- Technical Depth: Expert-level knowledge of network and application attack surfaces, including complex enterprise attack paths and microservices architectures.
- Cloud: Proven experience compromising containerized environments and exploiting identity-centric architectures.
- Regulatory Knowledge: Experience delivering outputs that satisfy internal audit, external regulators (OCC, FRB), and compliance frameworks (PCI-DSS, SOC2).
- Remediation: Demonstrated ability to translate deep technical findings into actionable, risk-based remediation roadmaps for non-security technical teams.
- Offensive Security: OSCP, OSCE3, OSEP.
- SANS: GPEN, GXPN, GWAPT, GCPN.
- Industry: PNPT, CREST (CRT, CCT INF, CCT APP, CCRTS, CCRTM).
- Experience using AI/LLM tools (e.g., GPT-4, Copilot) to accelerate reconnaissance, code review, and exploit development.
- Background in Application Development or DevOps Engineering.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search