The Pentest / Retest Operator supports the Team by executing approved penetration testing activities, validating remediation efforts, and producing clear technical evidence for IT, GRC, and audit stakeholders. This operates under the supervision of the Team Manager and must follow defined Rules of Engagement, approved scopes, and internal evidence standards. The role is intended to increase execution capacity without transferring ownership of risk acceptance, final report approval, or security architecture decisions.
Key Responsibilities:
Standard Pentesting Execution:
- Execute approved penetration testing activities for internal, external, web, API, and infrastructure scopes.
- Perform reconnaissance, enumeration, vulnerability validation, and controlled exploitation only within approved scope.
- Support BPO pentest activities by validating business-impacting vulnerabilities and documenting reproducible attack paths.
- Identify technical weaknesses related to misconfigurations, insecure services, access control flaws, exposed systems, weak authentication, and insecure application behavior
Remediation Validation (Re-testing):
- Re-execute original proof-of-concept steps after IT confirms remediation. o Validate whether vulnerabilities are fully mitigated, partially mitigated, or still exploitable.
- Produce retest evidence, including commands, screenshots, logs, timestamps, affected assets, and validation results.
- Escalate failed remediation cases with clear technical detail and remediation guidance
Segmentation and Network Control Validation:
- Execute approved segmentation test cases using predefined source/destination matrices.
- Validate whether unauthorized routes exist between non-critical networks and sensitive or regulated environments
- Collect evidence of allowed, blocked, filtered, or unexpected network paths.
- Avoid unsupervised intrusive testing against production systems
Web, API, and Application Security Testing:
- Validate OWASP Top 10 and API security risks, including broken access control, authentication flaws, IDOR/BOLA, injection risks, insecure session handling, and sensitive data exposure.
- Use approved tooling such as Burp Suite, Postman, Nmap, browser developer tools, and controlled scripting.
- Document findings in a format suitable for developers, IT operations, GRC, and auditors
URL, Software, and Gold Image Validation Support:
- Support technical validation of URLs, applications, executables, and client-requested software. o Review TLS configuration, reputation, exposed services, headers, authentication requirements, and business justification
- Support Gold Image validation by checking security controls, agent presence, hardening alignment, GPO compliance, and allow-list requirements
- Submit all validation results to the Purple Team Manager for final approval
Evidence and Reporting:
- Prepare professional finding documentation with description, impact, affected assets, evidence, reproduction steps, CVSS scoring support, and remediation recommendations.
- Maintain evidence in the approved corporate repository only.
- Ensure all commands and proof-of-concept steps are reproducible and clearly documented.
- Support final report preparation but not approve or issue final reports independently
Documentation and Playbook Support:
- Contribute to offensive testing playbooks, retest procedures, segmentation validation checklists, and evidence standards.
- Document lessons learned and repeatable procedures for handover to the internal team.
Requirements
- Bachelor's degree in Computer Science, Information Security, or related field.
- Practical experience in network, web, API, and infrastructure penetration testing.
- Strong knowledge of Nmap, Burp Suite, Postman, Wireshark/tcpdump, Netcat, Linux, Windows, and basic Active Directory concepts.
- Understanding of CVSS v3.1, vulnerability validation, false positive analysis, and remediation verification.
- Ability to write clear technical evidence and professional remediation guidance.
- Familiarity with PCI DSS, ISO 27001, SOC2, or audit-driven security evidence is preferred.
- Preferred certifications: eJPT, PNPT, CompTIA PenTest+, CEH Practical, Burp Suite Practitioner, or equivalent practical experience.
