Cybersecurity Penetration Testing Engineer - Web App, Mobile App & API Security
Location-Charlotte, NC | Dallas/Irving, TX | Chandler, AZ
Job Summary-
The Penetration Testing Engineer will be responsible for conducting in-depth web application, mobile application, and API security testing across business-critical platforms.
The role requires hands-on expertise in Burp Suite, deep understanding of offensive security methodologies, and the ability to identify, exploit, and document security vulnerabilities.
The engineer will work closely with development, DevSecOps, and risk teams to ensure secure SDLC practices and support remediation of discovered vulnerabilities.
Years of experience needed-5-8 years of total experience in application or API penetration testing, with at least 3+ years in hands-on offensive test
Key Responsibilities:
1. Penetration Testing & Vulnerability Assessment
Perform manual and automated penetration testing on web, mobile, and API endpoints.
Use Burp Suite Professional extensively for intercepting, modifying, and exploiting HTTP/S traffic. Conduct source code-assisted testing when applicable to identify deeper logic flaws.
Simulate real-world attack scenarios using OWASP Top 10, SANS 25, and API Security Top 10 framewnes
2. API Security Testing
Perform REST and GraphQL API penetration testing, including JWT, OAuth, and token manipulation. • Validate business logic vulnerabilities and parameter tampering across microservices.
Use tools such as Postman, Burp Suite, and OWASP ZAP for fuzzing, interception, and payload injection Validate API schema misconfigurations, rate limiting, and data exposure issues.
3. Offensive Security & Exploitation
Execute custom payloads and exploits to demonstrate risk severity to stakeholders.
Develop proof-of-concept (PoC) exploits to validate identified vulnerabilities
Emulate attacker tactics, techniques, and procedures (TTPs) from MITRE ATT&CK and CWE references. Perform targeted assessments on authentication bypass, privilege escalation, and input deserialization.
4. Reporting & Remediation Support
• Document detailed findings, reproduction steps, impact analysis, and mitigation recommendations.
• Collaborate with developers and DevSecOps teams to ensure timely patching and secure code fixes Participate in vulnerability triage and retesting post-remediation.
Present reports to technical and management stakeholders in clear, risk-prioritized language.
5. Security Process & Continuous Improvement
.Integrate testing results into CI/CD pipelines where possible (DevOps enablement).
Contribute to secure coding guidelines and training sessions for developers.
Evaluate emerging attack trends, new CVES, and offensive security tools to keep the testing framework current.
Assist in developing internal scripts, extensions, or automation workflows for testing efficiency.
Technical Skills
Core Tools & Techniques
Burp Suite Professional-expert-level usage (Intruder, Repeater, Decoder, Extender). Familiarity with OWASP ZAP, Nmap, Metasploit, SQLmap, DirBuster, Hydra, and Ffuf Deep understanding of OWASP Top 10 (Web & API) and CWE Top 25 vulnerabilities Strong ability to identify and exploit logic-based and authentication-related flaws.
Programming & Scripting
Proficiency in at least one scripting language: Python, JavaScript, or Bash.
• Experience writing small custom scripts or Burp extensions for advanced payloads.
• Understanding HTTP/HTTPS, REST, GraphQL, JSON, and XML protocols.
Offensive Security
Practical experience in vulnerability exploitation, reverse engineering, or red team engagements Familiarity with exploit development frameworks, Ca tools (Cobalt Strike, Empire) is a plus.