J
Senior Penetration Tester - Web & Hardware/IoT
Job Description
The Senior Penetration Tester will lead hands-on assessments for JPMorganChase across web, API, cloud, infrastructure, and limited banking hardware and IoT environments, overseeing planning, execution, reporting, and remediation guidance with stakeholders.
Responsibilities
- Plan, scope, and execute penetration testing engagements across web applications, APIs, cloud platforms, infrastructure, thick-client, and mobile applications (primary focus).
- Perform security assessments of banking hardware and connected/IoT technologies (limited but expected), including ATMs, POS devices, and other embedded endpoints.
- Collect and validate pre-requisites for each engagement, ensuring access, documentation, and approvals are in place (including lab/onsite testing logistics and device access where applicable).
- Perform manual and automated testing to identify vulnerabilities, misconfigurations, and security weaknesses, leveraging industry-standard tools and custom scripts.
- Document and communicate findings through comprehensive reports with technical details, risk assessments, and actionable remediation recommendations.
- Conduct peer reviews of penetration test reports to ensure accuracy, consistency, and quality of deliverables.
- Collaborate with development, infrastructure, security, and device/product engineering teams to clarify findings, support remediation efforts, and provide subject matter expertise on offensive security.
- Stay current with emerging threats, vulnerabilities, and attack techniques by leveraging threat intelligence, security research, and participation in relevant industry groups.
- Contribute to the continuous improvement of penetration testing methodologies, tools, and frameworks to align with firm strategy and regulatory requirements.
Requirements
- 5+ years of hands-on penetration testing experience in offensive security, with a proven track record of scoping, executing, and reporting on complex engagements.
- Expertise in manual penetration testing of web, API, cloud (AWS/Azure/GCP), infrastructure, thick-client, and/or mobile (Android/iOS) applications, including use of industry-standard tools (e.g., Burp Suite, Nmap, Metasploit, etc.).
- Working knowledge of testing approaches for connected devices/IoT and purpose-built banking devices (e.g., ATMs, POS), including common attack surfaces such as exposed services, remote administration paths, authentication/authorization, hardening gaps, and insecure configurations.
- Strong understanding of security assessment methodologies such as OWASP Top Ten, NIST Cybersecurity Framework, and other relevant standards.
- Ability to identify and articulate systemic security issues related to threats, vulnerabilities, and risks, and provide clear, actionable remediation recommendations.
- Exceptional organizational and communication skills, including the ability to write detailed technical reports and present findings to both technical and non-technical stakeholders.
- Experience conducting peer reviews of penetration test reports and mentoring junior testers.
- Continuous learner who keeps up with the latest offensive security trends, tools, and techniques.
Technologies
- Burp Suite
- Nmap
- Metasploit
- AWS
- Azure
- GCP
- Android
- iOS
- Python
- Java
- Rust
- Windows
- Unix-like
Benefits
- Base salary determined by role, experience, skill set and location
- Commission-based pay and/or discretionary incentive compensation, paid in cash and/or forfeitable equity
- Comprehensive health care coverage
- On-site health and wellness centers
- Retirement savings plan
- Backup childcare
- Tuition reimbursement
- Mental health support
- Financial coaching
Preferred Qualifications, Capabilities, and Skills
- Knowledge of cybersecurity practices, operational risk management, and incident response methodologies within the US financial services sector, including relevant regulations, threats, and risks.
- Proficiency in penetration testing and security concepts for both Windows and Unix-like operating systems.
- Experience conducting security-focused source code reviews (e.g., Python, Java, Rust).
- Experience in reverse engineering thick-client and mobile applications to identify vulnerabilities.
- Experience assessing embedded systems / IoT devices in lab or onsite environments (e.g., device interface review, firmware/configuration analysis, and network/service exposure testing) relevant to ATM/POS ecosystems.
- Relevant certifications such as OSWE, CREST (CRT, CCT), OSCP, OSCE, GXPN, GWAPT, GPEN, GMOB, or BSCP.
Similar Jobs
J
J
J