Apply on Employer Site

Stratascale · 2 days ago

Security Consultant - Penetration Testing

United States

Full-time

Remote

Mid, Senior Level

$110K/yr - $145K/yr

3+ years exp

Stratascale is a digital and cybersecurity services company that helps Fortune 1000 clients transform their technology use for business advancement. The Security Consultant – Penetration Testing will lead and support the development and delivery of threat management consulting and penetration testing services to clients, ensuring their environments are secure against potential vulnerabilities.

Cloud ComputingCyber SecurityEnterprise Software

Responsibilities

Independently perform penetration testing against complex environments covering both external, internal, web application, and other forms of offensive security engagements

Consult and document attack surface, threats, and vulnerability improvements based on team’s overall assessment of client’s environment

Perform full assessment and threat modeling against industry best practices to identify control weaknesses and assess the effectiveness of existing controls

Perform root cause analysis on identified vulnerabilities and attack surface weaknesses to determine technical solutions to be presented to client along with recommendations for remediations

Collaborate with client’s security teams to understand mitigation or resolutions for findings discovered by analysts

Review threat intelligence for specific threat vectors that align with client's industry or potentially impacted by to utilize in attack path modeling

Assist in defining, measuring, and quantifying business risk and vulnerability impacts to clients their stakeholders

Provide subject matter expertise and technical support on remediation, cloud security, governance, compliance, and core infrastructure systems

Assist customers with strategies, use of platforms, technical and compliance analysis, and implementing automation

Execute consulting projects by creating and completing deliverables, ensuring client needs and practice obligations are met

Develop and deliver training content, curricula, and workforce development programs, including in-person and remote sessions

Participate in customer and internal meetings, providing technical guidance and facilitating discussions

Stay educated on new product technologies, industry trends, and emerging capabilities within the practice

Develop and optimize cross practice capabilities, collaborate with peer practice leaders, and mentor other consultants

Qualification

Penetration TestingOffensive Security MethodologiesCloud Security AssessmentWeb Application TestingActive Directory KnowledgeSocial EngineeringScriptingAutomationExploit DevelopmentRed/Purple Team CollaborationVulnerability ManagementDocumentation ToolsReporting SkillsImpactInfluenceBusiness DevelopmentFollow-UpPresentingDelegationAnalytical ThinkingTechnical TroubleshootingCommunicationRelationship BuildingSelf-MotivationNegotiationEmotional IntelligenceDetail-OrientedCritical Thinking

Required

Completed Bachelor's Degree in a related field or relevant work experience required

3–5 years of hands-on penetration testing/red team experience delivering engagements for mid-to-large enterprises, including leading complex assessments

Ability to travel to SHI, Partner, Customer events, and on-site testing engagements as needed

Expertise in planning, executing, and leading penetration tests across networks, web and mobile applications, APIs, wireless, and cloud environments, including scoping, rules of engagement, and debriefs

Proficiency with offensive security methodologies and frameworks such as PTES, OWASP (WSTG/MASVS/ASVS), MITRE ATT&CK, and threat modeling to drive risk-based testing

Deep hands-on experience with common offensive tooling and techniques, including reconnaissance, enumeration, exploitation, post-exploitation, lateral movement, and data exfiltration, along with strong operational security practices

Ability to assess and attack cloud services (AWS, Azure, GCP) including IAM misconfigurations, storage, serverless, container/orchestration, and cloud networking, and communicate cloud-specific remediation guidance

Strong web application testing skills including auth flows, access control, injection, deserialization, SSRF, XXE, business logic abuse, and modern app architectures (SPAs, microservices, GraphQL, WebSockets)

Working knowledge of Active Directory and Azure AD attack paths (Kerberoasting, constrained/unconstrained delegation, ACL abuses, LAPS/MAPS, certificate services), and the ability to simulate realistic enterprise attack chains

Proficiency with social engineering and phishing engagements, including payload development, infrastructure setup, pretexting, and measurement aligned to customer policies and legal constraints

Competence in scripting and automation to accelerate testing and proof-of-concept development using Python, PowerShell, Bash, and basic Go or JavaScript as needed

Ability to develop clear exploit proofs-of-concept, reproduce vulnerabilities reliably, and validate fixes; familiarity with exploit development fundamentals is a plus

Strong reporting and communication skills, including writing executive summaries and technical reports with reproducible steps, risk ratings, and actionable remediation, and presenting findings to both technical and non-technical stakeholders

Experience collaborating in red/purple team exercises, working with blue teams, and translating findings into detection and hardening recommendations (e.g., SIEM detections, EDR tuning, hardening baselines)

Familiarity with vulnerability management workflows, responsible disclosure practices, and integration of pen test results into remediation programs and retesting cycles

Proficiency with productivity and documentation tools such as Word, Excel, PowerPoint, and Outlook to efficiently produce statements of work, test plans, and final reports