Lead Penetration Testing Engineer

Job Description Summary

The financial services industry sits squarely in the crosshairs of today’s most capable threat actors from nation states to highly organized criminal enterprises. Our internal cybersecurity organization operates where theory meets reality, continuously pressure testing defenses, exposing risk before attackers do, and raising the bar for enterprise security.

As a Lead Penetration Testing Engineer, you will lead and execute penetration testing engagements across web and mobile applications, internal and external networks, and other in-scope environments, taking ownership from planning through execution, technical debriefs with stakeholders and verifying remediation success. You will coordinate penetration tests, including red team and purple team exercises, working side by side with elite third-party testing partners as well as internal threat hunting, detection engineering, infrastructure, and security teams to turn findings into measurable security improvements.

This is a hands-on role for an offensive security professional who thrives in complex environments, enjoys breaking assumptions, and wants their work to directly shape enterprise wide defense strategy.

Job Description

This position follows our hybrid workstyle policy: Expected to be in a Raymond James office location a minimum of 10-12 days a month.

Please note: This role is not eligible for Work Visa sponsorship, either currently or in the future.

Experience & Skills:

• 7+ years of offensive security experience as a red team operator and penetration tester across web applications, corporate networks, and infrastructure.

• Strong understanding of networking fundamentals and protocols (TCP/IP, DNS, HTTP/S, TLS, SMTP, SMB, Kerberos, LDAP, etc.).

• Deep familiarity with Windows and Linux, including Active Directory, authentication flows, endpoint posture, and common misconfigurations.

• Proven ability to test and interact with APIs, including automation and integration validation.

• Demonstrated ability to create advanced scripts, tools, and automation using PowerShell, Python, or Bash.

• Strong report‑writing skills with the ability to translate technical findings into business‑aligned risk and actionable remediation.

• Leadership qualities to support technical development of team members.

Tooling Expectations (Hands‑On):

• Recon & Enumeration: Nmap, Masscan, Amass, Subfinder, Nuclei, Nikto, whatweb, dnsrecon, enum4linux‑ng

• Web & API Testing: OWASP ZAP, sqlmap, ffuf/gobuster, testssl.sh, JWT tooling, Burp Suite

• Exploit & Post‑Exploitation: Metasploit, Impacket, BloodHound, Responder, Kerbrute, CrackMapExec/NetExec, smbclient, LDAP tooling

• Passwords & Traffic: Wireshark/tshark, John the Ripper, Hashcat, Hydra

Responsibilities:

• Conduct authenticated and unauthenticated web application penetration tests on internal and third‑party applications; identify vulnerabilities aligned to OWASP Top 10/ASVS, demonstrate exploitability, and validate fixes.

• Perform internal and external network penetration tests, including attack path discovery, privilege escalation, lateral movement, segmentation validation, and internet‑facing exposure reviews.

• Execute targeted security testing in additional domains such as APIs, mobile applications (as applicable), cloud configuration/exposure validation, and wireless assessments.

• Build and maintain repeatable testing playbooks covering reconnaissance, exploitation, post‑exploitation, evidence collection, and remediation validation.

• Produce clear deliverables including executive summaries, technical reports, reproducible steps, risk ratings, and remediation guidance; brief engineers, stakeholders, and security leadership.

• Partner with application and infrastructure teams to remediate findings, conduct retesting, confirm closure, and improve secure SDLC practices.

• Support purple‑team activities by collaborating with detection and response teams to strengthen logging, alerting, and detection logic.

• Develop and maintain testing tools, scripts, and automations in Python, PowerShell, and Bash.

• Mentor junior team members to expand technical knowledge and hands‑on capabilities. • Work with third‑party testers to define scopes, oversee execution and reporting, and assign ownership of findings.

One or more of the following certifications:

• Highly Preferred : OSCP, OSWE, OSEP, OSWP, or OSEE

• GIAC: GPEN, GWAPT, GXPN, or GWEB

• eCPPT or PNPT

• Bonus: CISSP, cloud security certifications (AWS/Azure), or other relevant credentials.

Core Competencies:

• Analysis: Identify issues, compare data, and draw defensible conclusions.

• Communication: Clearly convey technical details and risk to engineers, finding owners, and leadership.

• Judgment & Decision Making: Recommend appropriate actions based on available facts and constraints.

• Technical Knowledge: Stay current on offensive security techniques, defenses, and industry trends.

• Relationship Building: Collaborate effectively with partners to achieve security objectives.

• Client Focus: Support internal teams as customers while managing firm‑wide risk.

• Leadership: Share knowledge and provide mentorship through training and guidance.

Education

Bachelor’s: Computer and Information Science, High School (HS) (Required)

Work Experience

General Experience - 6 to 10 years

Certifications

Travel

Less than 25%

Workstyle

Hybrid

At Raymond James – as part of our people-first culture, we honor, value, and respect the uniqueness, experiences, and backgrounds of all of our Associates. When associates bring their best authentic selves, our organization, clients, and communities thrive. The Company is an equal opportunity employer and makes all employment decisions on the basis of merit and business needs.

#LI-TC1