[Hiring] Cloud Penetration Tester @Bishop Fox

Role Description

At Bishop Fox, security isn't just a job - it's our passion. As leaders in continuous offensive security and penetration testing, we deliver world-class customer experiences. Joining Bishop Fox means collaborating with a curious and dedicated team. You'll tackle complex challenges for some of the world's most recognized organizations, securing their networks against real-world threats.

We are expanding and hiring a Pen Tester to join us on this exciting journey. We’re looking for a talented, experienced professional hacker to help us secure some of the world’s most complex software and sophisticated technologies. You’ll be working alongside our US and internationally-based teams supporting clients across multiple industries.

You’re a cybersecurity consultant with a strong offensive security mindset and a passion for understanding how modern applications, cloud platforms, APIs, and emerging technologies operate at a deep technical level. You enjoy uncovering security weaknesses, thinking creatively about attack paths, and helping organizations solve complex security challenges through practical, risk-focused assessments.

At Bishop Fox, you’ll work on a wide variety of security engagements including:

• Cloud Security Assessments
• Mobile Application Security Testing
• Hybrid Application Assessments (HAA)
• AI/LLM Security Assessments

Your responsibilities will include:

• Performing hands-on security testing
• Analyzing application behavior
• Reviewing source code
• Identifying realistic exploitation scenarios
• Validating security controls across modern architectures
• Working closely with clients and internal teams to deliver high-quality technical assessments and actionable remediation guidance
• Contributing throughout the full engagement lifecycle from scoping and test planning to execution, reporting, and client presentations

Success in this role requires:

• Strong technical depth
• Structured testing methodologies
• Effective communication skills
• The ability to adapt quickly to new technologies and environments

Qualifications

• 4+ years of experience in application security assessments, penetration testing, or offensive security engagements
• Strong understanding of application security fundamentals, modern attack techniques, and common vulnerabilities affecting web applications, APIs, mobile applications, and cloud-native environments
• Hands-on experience testing REST APIs, including authentication/authorization flaws, IDORs, injection vulnerabilities, session management issues, and business logic flaws
• Strength with AWS services and cloud security concepts, including IAM, STS, S3, Lambda, API Gateway, CloudTrail, CloudWatch, and secure communication patterns such as SigV4
• Solid understanding of networking and web fundamentals, including HTTP/HTTPS, TCP/IP, DNS, API communication flows, cookies, headers, and related concepts
• Experience reviewing source code for security issues in Java, C#, and Python applications
• Knowledge of secure coding principles and common risks such as SSRF, insecure deserialization, injection vulnerabilities, sensitive data exposure, and insecure cloud integrations
• Understanding of SDLC, CI/CD pipelines, and secure development practices
• Experience using security assessment and code review tools such as Burp Suite, Semgrep, Git, AWS CLI, and API testing/debugging tools
• Comfortable working across Linux, Windows, and macOS environments
• Experience or strong interest in AI/LLM security, including prompt injection, RAG risks, insecure integrations, excessive permissions, and the OWASP Top 10 for LLM Applications
• Strong written and verbal communication skills, with the ability to deliver clear, actionable findings and communicate technical risks to both technical and executive stakeholders
• Experience following structured testing methodologies, documentation standards, and validation/retesting workflows
• Strong collaboration and interpersonal skills when working with security, engineering, and client teams
• Ability to manage multiple concurrent engagements while maintaining high-quality deliverables and attention to detail
• Curious, adaptable, and professional mindset with a passion for continuous learning and emerging security trends

Nice to Have

• Exposure to hardware or embedded device security testing
• Familiarity with cloud-native and serverless architectures
• Consulting or client-facing experience
• Relevant security certifications or hands-on research contributions

Benefits

• Generous Time Off and Company-Wide Holidays
• Team Events and International Travel Opportunities
• Work From Home Support
• Training Budget
• Saving Fund
• Food Coupons
• Health and Wellbeing programs