cFocus Software Incorporated

Penetration Tester - Lead

Posted 7 Days Ago

Be an Early Applicant

Washington, DC, USA

In-Office

Expert/Leader

Software

The Role

Lead penetration testing and cybersecurity assessments, conduct vulnerability analysis, and provide remediation guidance to improve security posture. Oversee technical teams and collaborate with various cybersecurity roles for effective operations and compliance with federal standards.

Summary Generated by Built In

Penetration Tester – Lead Position: Penetration Tester - Lead
Program: SBA Enterprise Cybersecurity Services (ECS)Position SummaryThe Penetration Tester – Lead supports the Small Business Administration (SBA) Enterprise Cybersecurity Services (ECS) program by leading advanced penetration testing, vulnerability assessment, adversarial simulation, and security validation activities supporting enterprise cybersecurity operations.
The Penetration Tester – Lead performs expert-level offensive cybersecurity activities including network penetration testing, web application assessments, cloud security testing, wireless testing, red team operations, social engineering support, exploit validation, security control effectiveness testing, and advanced vulnerability analysis. The position provides technical leadership, testing strategy development, remediation validation, and risk-based recommendations to improve SBA’s cybersecurity posture and enterprise resilience.Essential Duties and Responsibilities

Lead enterprise penetration testing and vulnerability assessment activities supporting SBA ECS cybersecurity initiatives.
Support Task Areas 3.5.4 and 3.5.4.7 by conducting advanced offensive security testing against enterprise systems, applications, cloud environments, networks, and security architectures.
Plan, coordinate, and execute internal and external penetration testing engagements in accordance with federal cybersecurity standards and approved Rules of Engagement (ROE).
Conduct application security testing against web applications, APIs, mobile applications, and cloud-hosted systems.
Perform network penetration testing, exploitation, lateral movement analysis, privilege escalation testing, and post-exploitation activities.
Execute adversarial emulation and red team exercises to evaluate security controls, monitoring capabilities, and incident response effectiveness.
Conduct vulnerability validation, exploit research, attack-path analysis, and risk prioritization activities.
Assess cloud security controls and configurations across Microsoft Azure, AWS, Microsoft 365, SaaS, and hybrid cloud environments.
Perform wireless security testing, password auditing, authentication testing, and identity management assessments.
Support phishing assessments, social engineering testing, and security awareness validation activities where authorized.
Develop detailed technical penetration testing reports, executive summaries, remediation guidance, and risk assessment documentation.
Provide technical recommendations for remediation of identified vulnerabilities, misconfigurations, and security gaps.
Validate remediation efforts and conduct follow-up testing to confirm resolution of identified findings.
Support development and refinement of penetration testing methodologies, procedures, testing standards, and operational playbooks.
Coordinate with security engineers, SOC analysts, ISSOs, system administrators, cloud engineers, and program managers during testing activities.
Assist with security architecture reviews, threat modeling, and attack surface analysis activities.
Use automated and manual testing techniques to identify vulnerabilities and validate exploitability.
Operate and maintain penetration testing toolsets, attack frameworks, vulnerability scanners, and security testing platforms.
Support compliance and assessment activities aligned with NIST RMF, NIST SP 800-53, FISMA, FedRAMP, and Zero Trust Architecture requirements.
Provide technical leadership and mentorship to junior penetration testers and cybersecurity analysts.
Participate in incident response support, forensic investigations, and threat hunting activities as required.
Support DevSecOps and secure software development initiatives through application security testing and code review support.
Ensure all testing activities comply with federal security policies, legal requirements, approved authorizations, and ethical hacking standards.

Minimum Qualifications

Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Engineering, Information Systems, or related discipline. Relevant experience may substitute for degree requirements.
Minimum of 10 years of experience supporting penetration testing, vulnerability assessments, offensive cybersecurity operations, red teaming, or advanced cybersecurity engineering.
Extensive experience conducting penetration testing against enterprise networks, web applications, cloud environments, and operating systems.
Advanced knowledge of offensive security methodologies, exploitation frameworks, attack techniques, and adversarial tactics.
Experience using penetration testing and security assessment tools such as Metasploit, Burp Suite, Nessus, Nmap, Kali Linux, Cobalt Strike, BloodHound, Wireshark, and related platforms.
Strong understanding of network protocols, operating systems, identity management, authentication mechanisms, and cloud architectures.
Experience with scripting or programming languages such as Python, PowerShell, Bash, JavaScript, or Go.
Knowledge of NIST RMF, NIST SP 800-53, FISMA, FedRAMP, MITRE ATT&CK, and Zero Trust Architecture concepts.
Experience leading penetration testing teams, coordinating testing engagements, and presenting findings to technical and executive stakeholders.
Strong analytical, problem-solving, technical writing, and communication skills.
Experience supporting federal agencies or government cybersecurity environments preferred.

Preferred Certifications

Offensive Security Certified Professional (OSCP)
Offensive Security Experienced Penetration Tester (OSEP)
GIAC Penetration Tester (GPEN)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Certified Ethical Hacker (CEH)
Certified Information Systems Security Professional (CISSP)
CompTIA PenTest+
GIAC Web Application Penetration Tester (GWAPT)
Certified Red Team Professional (CRTP)
AWS Certified Security – Specialty
Microsoft Certified: Azure Security Engineer Associate

Skills Required

Bachelor's degree in Cybersecurity, Information Technology, Computer Science or related discipline.
Minimum of 10 years of experience in penetration testing or offensive cybersecurity operations.
Extensive experience in conducting penetration testing against enterprise networks and web applications.
Advanced knowledge of offensive security methodologies and techniques.
Experience with penetration testing and security assessment tools.
Understanding of network protocols and cloud architectures.
Experience with scripting or programming languages like Python and PowerShell.
Knowledge of NIST RMF and cybersecurity concepts.
Experience leading penetration testing teams and presenting findings.

View all jobs at cFocus Software Incorporated

View cFocus Software Incorporated Profile

Report Job

Am I A Good Fit?

beta

Get Personalized Job Insights.

Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company

HQ: Largo, MD

25 Employees

Year Founded: 2006

What We Do

Established in 2006, cFocus Software automates FedRAMP compliance and develops government chatbots for the Azure Government Cloud, Office 365, and SharePoint. cFocus Software is the exclusive vendor of ATO (Authority To Operate) as a Service™, which automates FedRAMP compliance for the Azure Government Cloud and Office 365. Contact Us for a demo of ATO as a Service™ or a FREE government chatbot proof of concept project today!