Security Penetration Tester


The Penetration Tester can be a full-time position or a duty as assigned additional function.  The Penetration Tester will be familiar with Security Assessor Functions also. The Security Assessor will conduct security control assessments of the security and privacy controls implemented by an information system to determine the overall effectiveness of the controls and the vulnerability state of components, applications and databases residing within the system boundary. Following the NIST Cybersecurity Framework, Risk Management Framework and using NIST 800-53A, verifies the security status of existing information systems with an Authority to Operate (ATO) by performing appropriate assessments on any new system developed or deployed by the customer, and conducts audits of security controls to ensure continuous monitoring of systems assigned. Assesses systems that have previously been assessed and received an ATO and systems that have not yet been assessed and do not have an ATO.


Reports To

Lead Security Assessor


Delegation of Duties During Absence

Lead Security Assessor



  • Develop, document and review System Rules of Engagement (ROE), Security Assessment Plans (SAPs) and Security Assessment Reports (SARs).
  • Have a working knowledge of the FedRAMP Penetration Guidelines.
  • Develop associated schedules and resource plans to complete the assessments.
  • Perform quality control on the assessment and associated deliverables.
  • Participate as an individual contributor for complex system assessments.
  • Lead testing engagements in designated focus area(s) (e.g. web app, network penetration testing, red teaming, wireless testing, etc.)
  • Play a key role in the internal development of tools, tactics, processes and service offerings
  • Validate remediation plans and consult and assist customers with remediation efforts
  • General security consulting, risk and compliance consulting
  • Some public speaking and/or involvement in community events
  • Perform quality control on the assessment and associated deliverables.
  • Conduct Post Assessment Meetings with the customer.


Minimum Experience & Skills

  • 4+ years’ experience performing security testing and/or security control assessments.
  • 4+ years’ experience with developing and documenting the ROEs, SAPs, and SARs.
  • 4+ years’ experience and expert knowledge of the NIST Cybersecurity Framework, Risk Management Framework, FIPS, and other NIST A&A publications.
  • 4+ years' of experience utilizing NIST 800-53 and 800-53A.
  • Experience conducting Penetration Tests in a commercial and or federal environment.
  • Experience assessing and providing recommendation on the following: Privacy Impact Assessment, Risk Assessment, System Security Plan, Disaster Recovery / Contingency Plan, and Incident Response Plan.
  • Knowledge of the Systems Development Life Cycle (SDLC) and its application in the development of technology solutions.
  • Knowledge and skills to perform and document the assessment.
  • Experience with tools such as Nessus, Web Inspect, Db Protect and Splunk.
  • Technical background with Windows, Unix, legacy systems, databases, web servers/applications, cloud and virtualization environments.
  • Familiar with the cloud environments (services/security) and FedRAMP A&A process.
  • Familiar with FedRAMP Penetration Testing Guidance.
  • Effective verbal and written communication skills with ability to effectively communicate with all levels of users and teammates both written and verbally.
  • Effective technical writing and documentation processing skills.


Minimum Education

  • BS/BA degree in Information Technology or related cyber/cyber-security field. 
  • Experience may be substituted for education on a case-by-case basis.



Must possess one of the following certifications:

  • CEH – Certified Ethical Hacker Certification.
  • GPEN.
  • CPT – Certified Penetration Tester.
  • PenTest+
  • ECSA – EC Council Certified Security Analyst.
  • CEPT – Certified Expert Penetration Tester.
  • LPT – Licensed Penetration Tester.
  • OSCP – Offensive Security Certified Professional.
  • All professional certifications and CPE credits must be up to date