[Hiring] Penetration Testing Consultant @BMO

Role Description

Join a team where your work goes beyond checklists protecting critical financial applications with real business and regulatory impact. Why join this team?

• High-impact, meaningful work
• Directly influence the security of applications that matter to customers, regulators, and the business.
• Depth over volume: Focus on deep, manual penetration testing (web, mobile, APIs)—not automated, scanner-driven assessments.
• Accelerated technical growth: Work in complex, enterprise-scale environments that expose you to advanced architectures and evolving threats.
• End-to-end ownership: Engage across the full lifecycle: scoping → testing → reporting → remediation, with visibility and influence throughout.
• Modern tools and techniques: Use advanced testing tools to enhance testing depth and efficiency.
• More meaningful engagements: Experience fewer, higher-quality engagements versus consulting-style, high-volume work.

Qualifications

• Min of 3+ years experience with Manual Penetration Testing experience in Web or API.
• Strong exposure for testing Web applications in the following areas:
• A solid grasp of HTTP/S protocols, headers, cookies, sessions, and CORS behavior within your web testing experience.
• Experience testing authentication and authorization mechanisms (OAuth, JWT, session flaws, IDOR/BOLA).
• Strong proficiency with Burp Suite Professional, OWASP ZAP, IBM’s APP SCAN (proxying, repeater, intruder, extensions).
• Deep practical knowledge of OWASP Top 10 (Web + API) and common vulnerabilities.
• Ability to identify and exploit business logic vulnerabilities and multi-step attack paths.
• Preference for candidates who have at least one certification in a related field, with strong preference for Information security certifications from a well-recognized institution (e.g. OSCP, GMOB, GWAPT, OSWE).
• Secure coding and architecture understanding.
• Proficiency in at least one scripting language.
• Proficiency in documenting reproducible steps for technical accurate findings.

Requirements

• Typically between 4 - 7 years of relevant experience and a post-secondary degree in Information Security, Computer Science, Engineering, and/or Information Systems or a related field of study or an equivalent combination of education and experience.
• Preference for candidates who have at least one certification in a related field, with strong preference for Information security certifications from a well-recognized institution (e.g. (ISC)2, ISACA, SANS).
• Understanding of industry standards and frameworks e.g. NIST Cyber Security Framework (CSF), ISO 27001 and 27002, Payment Card Industry (PCI) Data Security Standard (DSS), etc. - In-depth.
• Experience in information security concepts and methodology.
• Knowledge of business analysis, project delivery practices and standards across the project lifecycle - In-depth.
• Knowledge of information security processes, procedures and controls - In-depth.
• Understanding of and problem solving ability for information security issues within their business group - Working.
• Understanding of information security risk and regulatory requirements - Working.
• Deep knowledge and technical proficiency gained through extensive education and business experience.
• Verbal & written communication skills - In-depth.
• Collaboration & team skills - In-depth.
• Analytical and problem solving skills - In-depth.
• Influence skills - In-depth.
• Data driven decision making - In-depth.

Benefits

• Salary: $88,800.00 - $165,600.00
• Pay Type: Salaried
• Performance-based incentives, discretionary bonuses, and other perks and rewards.
• Health insurance, tuition reimbursement, accident and life insurance, and retirement savings plans.