Senior Systems Security Specialist (Penetration Testing & Offensive Security)

Senior Systems Security Specialist (Penetration Testing & Offensive Security)
Multi-year Contract
Onsite/Hybrid Baltimore, Maryland

We are seeking a Senior Systems Security Specialist to lead and execute offensive security initiatives, including advanced penetration testing and red team engagements across networks, applications, APIs, and cloud environments. This specialist will play a key role in identifying vulnerabilities, simulating real-world attack scenarios, and strengthening enterprise security posture. This is a hands-on technical role requiring deep experience in both testing and remediation, as well as the ability to communicate risk and guidance to both technical and executive audiences.

Responsibilities:

• Conduct internal and external penetration testing of networks, web applications, APIs, and cloud environments to uncover security vulnerabilities and exploit paths.
• Perform red team exercises simulating real-world adversary tactics and techniques (aligned with MITRE Telecommunication&CK).
• Carry out vulnerability assessments, threat modeling, and attack surface analysis.
• Review secure configurations, network and cloud architectures, and identity management systems.
• Evaluate and analyze application security controls with dynamic and manual testing techniques for authentication, session management, input validation, and access controls.
• Perform source code reviews for secure coding practices and identify vulnerabilities in Python, C/C++, Java, or comparable languages.
• Develop custom scripts and tools to enhance penetration testing capabilities and test automation.
• Prepare and deliver comprehensive penetration test reports, including executive summaries, risk ratings, and remediation guidance.
• Support incident response investigations by recreating adversarial attack chains, validating compromise scenarios, and analyzing root causes.
• Assess the effectiveness of Zero Trust architectures, micro-segmentation, and identity-based security controls.
• Conduct phishing simulations and social engineering campaigns to evaluate user awareness and organizational resilience.
• Brief executive leadership and technical stakeholders on security risk and remediation priorities.
• Collaborate with engineering, DevOps, and IT teams to remediate vulnerabilities and strengthen security controls.
• Map findings and test outcomes to NIST, OWASP, CIS, and other applicable security frameworks.
• Develop and continuously improve security policies, testing methodologies, playbooks, and standards.
• Adhere to governance, change control, and project management office (PMO) policies.
• Be available to work overtime, on-site or off-site, including weekends and off-hours as needed.

Minimum Qualifications:

• At least 8 years of experience in cybersecurity, with 5+ years in penetration testing or red team engagements.
• 5+ years in network, web application, and API penetration testing; vulnerability assessment; and threat modeling.
• 5+ years developing formal penetration testing reports with executive summaries and actionable guidance.
• 5+ years supporting incident response, root cause analysis, and validation testing.
• Proficiency with common penetration testing tools (Metasploit, Burp Suite, Nmap, Wireshark, Nessus, etc.).
• Strong knowledge of secure coding practices, application security (SAST/DAST), network architectures, segmentation, and IAM.
• 5+ years scripting or programming (Python, C/C++, PowerShell, Bash, etc.).
• 5+ years mapping findings to security frameworks (NIST, MITRE Telecommunication&CK, OWASP Top 10).
• At least one recognized offensive security certification (OSCP, GPEN, GXPN, CEH, or equivalent experience).
• Ability to translate complex technical findings into clear, actionable recommendations for varied audiences.
• Experience in government or highly regulated environments.

Preferred Qualifications:

• 10+ years of progressive experience in cybersecurity, with advanced offensive security depth.
• Experience leading and designing red team and adversary emulation exercises.
• Experience with phishing, social engineering, and purple team operations.
• 5+ years involved in Zero Trust architecture and micro-segmentation assessment/design.
• Experience with cloud and containerized security (AWS, Azure, Docker, Kubernetes, IaC, CI/CD).
• 10+ years of experience in software development and low-level exploit analysis; code review in Java or compiled languages.
• Familiarity with FedRAMP, FISMA, or IRS Pub 1075 requirements.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or protected veteran status.