Mid-Level Penetration Tester

About Cyber Force

Cyber Force is a cybersecurity consultancy delivering advisory, managed services, and operations to international clients. Our senior-led teams combine governance, engineering, and 24×7 response to turn cyber risk into measurable resilience.

Role Overview

We are looking for a Mid-Level Penetration Tester to join our established Offensive Security & Assurance practice. You will independently conduct web/API, network, mobile, and cloud penetration tests, participate in red team and adversary emulation engagements, and contribute to purple team exercises — delivering against international client engagements. You will work alongside an existing team of offensive security engineers and leverage AI-augmented tooling and LLM-based workflows.

Key Responsibilities

• Independently plan and execute web application and API penetration tests (OWASP Top 10, ASVS)
• Conduct network pen tests: external/internal, Active Directory and Entra ID attack-path analysis, privilege escalation, lateral movement
• Perform mobile application security assessments (OWASP MASVS)
• Execute cloud pen tests across AWS, Azure, and GCP
• Participate in red team and adversary emulation engagements mapped to MITRE ATT&CK
• Contribute to purple team exercises with blue team / SOC
• Conduct social engineering campaigns: phishing, pretexting, physical
• Develop custom exploitation tools, scripts, and payloads
• Produce pen test reports: executive summaries, technical findings, CVSS, remediation
• Present findings to CISOs and technical teams
• Leverage AI tools (Claude, ChatGPT) and agentic workflows for recon, exploit research, reporting
• Mentor junior offensive security trainees

Requirements

• Bachelor’s in CS, Cybersecurity, IT, or related (or equivalent practical experience)
• 2–4 years of hands-on penetration testing (web, network, + mobile/cloud/AD)
• OSCP (Offensive Security Certified Professional) — required
• Fluent English (written and spoken)
• Core tools: Burp Suite Pro, Nmap, Metasploit, BloodHound, Cobalt Strike or C2, Kali Linux
• Active Directory and Entra ID attack techniques
• Web application security: OWASP Top 10, injection classes, SSRF, deserialization
• Cloud security testing in AWS, Azure, or GCP
• MITRE ATT&CK mapping ability
• Custom scripting: Python, Bash, or PowerShell
• Demonstrated experience using LLM-based tools for offensive security tasks — this is a must
• OSEP, OSWE, CRTO, GPEN, GXPN, or CPTS — a plus
• VICI VCOP (Viridian Certified Offensive Operations Professional) — a plus
• Bug bounty hall-of-fame or published CVEs — a plus
• French language — a plus

Role details