Principal Penetration Tester/ Offensive Security Team Lead
Role Summary
The Principal Penetration Tester/ Offensive Security Team Lead will lead and scale the organization's offensive security and penetration testing practice within a lean and fast-growing cybersecurity company. This is a player-coach role: the ideal candidate is expected to remain deeply hands-on, actively conducting and contributing to penetration testing engagements alongside leadership, delivery oversight, team mentorship, and business growth responsibilities.
This individual will set the technical bar for the practice — personally executing complex assessments, driving methodology excellence, and ensuring high-quality delivery across all client engagements. They will also support pre-sales activities and help establish the company as a trusted offensive security partner.
The ideal candidate thrives in a startup environment, leads by technical example, and is equally comfortable exploiting a misconfigured cloud environment in the morning and presenting findings to a CISO in the afternoon.
Key Responsibilities
Hands-On Technical Delivery
-
Personally conduct and contribute to penetration testing engagements across web applications, APIs, cloud environments, networks, mobile applications, wireless infrastructure, and enterprise systems.
-
Take direct ownership of complex, high-risk, or sensitive engagements requiring deep technical expertise.
-
Perform adversary simulation, exploit development, and advanced attack chain construction on client engagements.
-
Author and review high-quality technical reports — including detailed findings, evidence, risk ratings, and actionable remediation guidance.
-
Remain current with offensive tooling, exploitation techniques, CVE research, and emerging attack vectors through personal practice and research.
Practice Leadership & Delivery
-
Establish and continuously evolve testing methodologies, quality standards, reporting frameworks, and operational best practices.
-
Ensure timely, high-quality delivery of all client engagements while managing resource allocation and competing priorities.
-
Drive continuous improvement in offensive security capabilities, tooling, automation, and assessment approaches.
-
Lead internal research, proof-of-concept development, and red team innovation initiatives.
Technical & Strategic Responsibilities
-
Serve as the practice's foremost technical authority on offensive security, adversary simulation, and vulnerability assessment.
-
Guide and personally support advanced exploitation scenarios, novel attack surface assessments, and high-complexity engagements.
-
Track and operationalize emerging attack techniques, vulnerability disclosures, and threat trends relevant to client environments.
-
Contribute to development of new service offerings and scalable assessment models aligned with market demand.
Team Leadership
-
Build, mentor, and manage a small but high-performing pentesting team — leading by technical example, not just direction.
-
Conduct hands-on technical reviews, pair-testing sessions, and skill development initiatives for consultants.
-
Foster a collaborative, learning-oriented, and accountable team culture suited to a fast-paced environment.
-
Support hiring, onboarding, and technical capability development of new team members.
Client & Business Engagement
-
Serve as a trusted technical advisor to clients on offensive security risks, remediation priorities, and security posture improvement.
-
Lead client scoping discussions, technical walkthroughs, and executive briefings — translating complex findings into business-relevant risk.
-
Support pre-sales activities including proposal preparation, effort estimation, solution design, and technical demonstrations.
-
Collaborate with sales and leadership to grow client relationships and identify new service opportunities.
Operational Responsibilities
-
Contribute to delivery processes, utilization planning, and practice-level operational metrics.
-
Ensure all engagement activities comply with contractual, legal, confidentiality, and ethical requirements.
-
Assist leadership in strategic planning, revenue growth initiatives, and service expansion efforts.
Candidate Specifications
Required Qualifications & Experience
-
Bachelor's degree in Computer Science, Information Security, Engineering, or a related technical discipline — or equivalent demonstrated experience.
-
10+ years in cybersecurity with a heavy, sustained focus on hands-on penetration testing and offensive security.
-
Proven track record of personally executing penetration tests across multiple technology domains, not solely overseeing them.
-
Demonstrated experience leading or building penetration testing teams or offensive security practices.
-
Comfortable operating as an individual contributor on technical engagements while simultaneously carrying leadership responsibilities.
-
Experience engaging directly with enterprise clients and executive stakeholders.
-
Prior experience in fast-paced, lean, or startup-oriented environments strongly preferred.
Technical Skills
-
Deep, hands-on expertise in web application, network, cloud, API, mobile, and infrastructure security testing.
-
Proficiency with offensive security tools and frameworks (e.g., Burp Suite, Metasploit, Cobalt Strike, BloodHound, Impacket, custom tooling).
-
Strong command of exploitation techniques, post-exploitation tradecraft, lateral movement, and privilege escalation across Windows, Linux, and cloud environments.
-
Familiarity with secure architecture concepts, common attack vectors, and practical remediation approaches.
-
Working knowledge of cloud platforms (AWS, Azure, GCP), container security, identity security, and modern enterprise environments.
-
Familiarity with OWASP, NIST, PTES, MITRE ATT&CK, and CIS benchmarks.
Certifications (Preferred)
-
OSCP, OSWE, OSEP, OSED, CRTO, CRTE, LPT Master, or equivalent hands-on offensive security certifications strongly preferred.
-
CISSP or similar governance certifications are a plus but not a substitute for technical credentials.
