The Senior Information Security Penetration Tester is part of the Corporate department, which resides on the Information Security team and reports to the Information Security Operations Manager. As a Senior Information Security Penetration Tester, you will be the subject matter expert in conducting vulnerability and security assessments, to include penetration tests, of internal CIS networks. This position will also be responsible for the assessment of products and services created by CIS. This role includes security awareness opportunities to assess the organizational resiliency though phishing engagements and red/blue team exercises under the ISO purple team initiative.

The Center for Internet Security (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit responsible for industry-leading best practices for securing IT systems and data. CIS is also a trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities and election offices.

CIS has an award-winning reputation for investing in its people (click here to learn more), as well as continuous learning and development. We offer our employees diverse opportunities to expand their impact personally and professionally, in their local communities, and among one another. Core Leadership Principles drive our employees at every level of the organization, empowering them to be leaders in everything they do.

• Base salary is determined on a number of factors including, but not limited to, education, experience and skills
• Health (PPO, EPO, HSA), Dental & Vision Insurance eligibility starting from the first day of hire
• $500 wellness card for Health Coverage Participants
• 401(k) with 4% Company Match, vested from the first day of hire
• Flexible Spending Account (FSA) & Dependent Care Account (DCA)
• Life Insurance
• Bonding Leave
• Paid Volunteering Program
• Bonus eligibility
• Paid Time Off (PTO) inclusive of vacation, personal and sick time
• Paid Holidays
• Wellness Program
• Employee Engagement Activities
• Professional Development Opportunities
• Tuition Reimbursement
• Student Loan PayDown Program
• Employee Referral program
• Employee Assistance Program

• Co-lead vulnerability scanning and penetration testing for internal CIS networks and systems
• Test products and services provided by CIS with emphasis on web application and API penetration testing and assessment
• Physical security assessments of CIS locations
• Engage in phishing exercises for organization security awareness
• Assess the organizational security posture and provide gap assessment and analysis for prioritization
• Build and maintain successful relationships with internal CIS teams through collaborative efforts
• Create detailed, easy to read, and actionable reports of assessment activity for consumption by internal and external organizations
• Develop and implement tools for penetration testing and early warning of weaknesses or possible incidents (e.g., honeypots, threat intel, etc.) building on methodologies as promulgated by CIS, NIST, etc.
• Configure, manage, and maintain security testing platforms and tools
• Create and continuously improve standards, requirements, procedures, and guidelines for penetration and security testing
• Perform penetration testing against internal- and external-facing applications
• Assist in driving internal purple team assessments on key resources and applications
• Assist in the development of threat models for CIS applications
• Perform proactive research to detect new attack vectors and critical vulnerabilities; work with CIS operational teams, specifically the Cyber Threat Intelligence (CTI) team, to provide early warning communications to U.S State, Local, Tribal, and Territorial (SLTT) government members with recommendations to facilitate proactive defense
• Correctly balance security risk and product advancement
• Assist in training and mentoring other team members
• Assist with improvements to policies, procedures, technologies, tools, techniques, and operational efficiencies
• Participate in incident response efforts as needed
• Other tasks and responsibilities as assigned

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, or a related field*
• 3+ years of experience in penetration testing and vulnerability assessments
• Experience with vulnerability scanning tools such as Nessus, Qualys, Nexpose, etc.
• Experience with web application and penetration testing tools such as Metasploit, BurpSuite, ZAP, etc.
• Ability to maintain strict confidentiality
• The position is open to U.S. Citizens and requires a favorably adjudicated DHS Fitness Review for Public Trust Positions**

It's a Plus if You Have:

• Certifications in related areas (GPEN, OSCP, GXPN, etc.)
• Secure web app design, cryptography and key material handling, authentication mechanisms such as OAUTH, SAML or OpenID, sensitive data protection, SDLC integration (fuzzing tests, static and dynamic code analysis)
• Experience in the use of source code scanners and the ability to manually validate findings/eliminate false positives
• Familiarity with cloud security (agnostic of vendor) and common configurations
• Familiar with the use of various manual and dynamic application vulnerability testing suites
• Ability to detect, define, exploit, and remediate OWASP top 10 (including the LLM and AI iteration) vulnerabilities without the use of a vulnerability scanner
• Proficiency with scripting languages (e.g., Python, Bash, PowerShell)
• Red Team or Purple Team experience
• Knowledge of CIS Controls, NIST standards, and SOC 2 compliance

*Additional years of relevant experience or a combination of an Associate’s degree or equivalent and relevant experience may be substituted for the Bachelor’s degree.

**Factors that may cause a negative Fitness Review decision include:

• Criminal Conduct
• Dishonest Conduct
• Employment Misconduct
• Alcohol Abuse
• Drug Use (illegal drug use or use of a legal drug in a manner that deviates from approved medical direction)
• False Statements
• Have not resided in the US for three (3) of the past five (5) years

At CIS, we are committed to providing an inclusive environment in which the diverse backgrounds, experiences, and views of our employees, members, and customers are valued and respected. It is through this commitment that we are able to work together towards our common mission: to make the connected world a safer place.