Senior FedRAMP Consultant - Penetration Tester
ABOUT THE ROLE
As the Federal Pen Test Senior Consultant with A-LIGN, you will be part of a dedicated team whose sole purpose is to test and improve the security of our clients’ systems and data, across a wide range of industries. In this role, you will utilize a broad range of tools and will constantly evolve to discover new vulnerabilities and security weaknesses.
Your responsibilities will include planning and executing penetration testing under the direction of a member of the management team.
REPORTS TO: Managing Consultant
PAY CLASSIFICATION: Full-Time, Exempt
- Scope, plan and perform web application, API, network, and mobile application penetration testing, social engineering, wireless and physical security assessments.
- Execute internal and external web application and API tests.
- Execute internal and external network penetration tests.
- Execute social engineering tests, including phishing, vishing, and physical.
- Execute mobile application tests.
- Conduct security assessments on a wide variety of technologies and implementations.
- Simulate sophisticated cyberattacks for clients worldwide.
- Write detailed penetration test reports for clients.
- Maintain client relationships & ensure deadlines are met and managers are updated.
- Lead client meetings, as needed, throughout scoping, execution, and reporting phases.
- Review pen test work papers, drafts, and final reports with high attention to detail.
- Create templates and automation to reduce manual efforts.
- Ensure security assessments are performed in accordance with NIST SP 800-53, and other authoritative IT security and penetration testing guidance.
- Provide support configuring and running Web App, OS, and Database vulnerability scans.
- Provide technical expertise on current cloud computing, cybersecurity, and technology trends, as needed, to complete Federal Security Authorization Packages and Security Assessments.
- Collaborate across multiple internal teams to ensure successful delivery of results based on the scope of work.
- Bachelor’s degree in cybersecurity, management information systems, information security, computer science, or relevant discipline; or combination of relevant education and work experience
- 5+ years’ experience in information security
- 2+ years of web application and network penetration testing experience
- Hands-on experience and strong understanding of penetration testing with Burp Suite Pro
- Strong understanding of AWS and Azure cloud architecture
- Experience engaging clientele in consulting environments within professional IT services
- Proven knowledge of FISMA/FedRAMP methodologies and the NIST 800-53 controls
- An aptitude for technical writing, including assessment reports and technical presentations
- Strong understanding of security principles, policies, frameworks, and industry best practices
- Strong background and experience with cloud architectures, technologies, and services
- Experience with information security related engineering solutions, tools, and utilities
- Strong written and verbal communication skills, with attention to detail
- Ability to adapt communication based on the needs of your audience – technical vs. high level
- Experience with government compliance, including FISMA, FedRAMP, RMF, and CSF
- Experience as a consultant with a Big 4 or second tier consulting firm is a plus
- Familiarity with additional methodologies, frameworks, and guides (ISO, COBIT, HIPPA/HITECH, PCI, OSSTMM, OWASP Top 10 & Testing Guide, NIST CSF, CIS, and MITRE ATT&CK) is a plus
- Ability to travel up to 10%
- At least one of the following certifications in order of preference: OSCP (highly preferred), OSEP, OSWE, OSCE(3), GWAPT, GPEN, GXPN, LPT, or other industry recognized pen testing certification(s)
- At least one advanced vendor-specific cloud-related technology certifications such as: AWS, MS Azure, Google Cloud, Cisco Cloud, VMWare, etc., multiple are preferred
- At least one advanced cybersecurity certification such as: CISSP, CISM, CISA, CCSP, CRISC, CAP, CASP, or other relevant security certifications a plus
- Participation in online training and CTFs (ctftime, hackthebox, tryhackme, overthewire, etc.)
- Desire to attend at least one training conference per year (Blackhat, DefCon, etc.)
- Strong desire to templatize and automate mundane or repetitive tasks
- Hands-on experience with cloud computing, containerization, microservices architecture, orchestration tools; DevOps tools such as Chef, Puppet, Ansible, Salt, Terraform, Tripwire, Jenkins, Travis, Elastic Stack, Kafka, Hadoop, Kubernetes, HA Proxy/nginx, register, consul-template, spring
- Working knowledge of defensive security techniques and technologies (Mitre ATT&CK based detections)
- Experience leading or participating in Red Team engagements
- Experience in exploit development
- Familiarity with debuggers, disassemblers and reverse engineering
- Employer Paid Health, Vision, Dental
- 401 (K) Plan with Employer Matching
- Competitive Bonus Structure
- Employer Paid Life Insurance and Disability Insurance
- Generous Paid Time Off Plan
- Virtual Employment
- Technology Allowance
- Vacation Bonus
- Paid Office Closure December 24-January 1
- Paid Holidays Schedule
- Certification Reimbursement
- Flu Shot Reimbursement
- TSA PreCheck Reimbursement
- AAA Reimbursement
A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,400 global organizations to confidently mitigate cybersecurity risks. We work with small businesses to global enterprises with services spanning across SOC, Penetration Testing, PCI DSS, HITRUST, ISO and privacy compliance. Our proprietary compliance management platform is transforming the compliance experience by enabling an anytime, anywhere approach to audits. For more information, visit www.A-LIGN.com.