Junior Penetration Tester
Working at Thoropass
Thoropass makes it as easy to do the right thing as it is to check a box. Our team members believe that partnership lightens the load. Not everyone can be an expert at everything – lending each other support in areas of weakness strengthens everyone’s offering. We collaborate openly and enthusiastically; without ego.
What We Do
At Thoropass, we’re compliance experts so you don’t have to be. Pairing easy software that’s always getting smarter with expert guidance and continuous monitoring, we integrate into your process to prepare you to pass any audit, every year, with flying colors. Hundreds of growing companies use Thoropass’s compliance automation platform, expert services, auditors and partner ecosystem to get and stay compliant over the lifetime of their business. We offer SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, HITRUST, and other infosec and privacy frameworks.
We are a rapidly expanding team based in New York. We were founded in May 2019 and raised our Series C funding in November 2022. Our top investors include: J.P. Morgan, PayPal Ventures, Fin Capital, Centana, and Bain Capital. We're growing customers and revenue dramatically and we’re poised for continued break-out growth in 2023 and beyond.
About the Role
We are looking for a Junior Penetration Tester to deliver penetration tests to Thoropass customers, including vulnerability assessments, web app pentests, and API pentests.
The ideal candidate will be equal-parts penetration tester, strategic thinker, and operational doer with a passion for solving complex challenges and delivering measurable impact for our company and customers.
What You'll Do
Deliver Penetration Testing Engagements
- Conduct web and API penetration tests with automated and manual testing, using black box or gray box testing methods.
- Demonstrate lateral movement capabilities and expose potential data exfiltration opportunities to simulate real-world attack scenarios.
- Develop effective countermeasures to address both known and unknown vulnerabilities within internal networks, employing advanced adversarial tactics to highlight security gaps.
- Employ innovative thinking to overcome security protection mechanisms, craft proof-of-concept code, and exploit business logic.
- Create detailed reports and findings to customers in a clear and concise manner, in fluent written and oral English. Advise customers on remediation efforts as needed.
- You adopt the mindset of an attacker, delving deep to identify potential vulnerabilities and attack vectors.
- You exhibit great judgment and sharp technical instincts that allow you to differentiate essential versus nice-to-have and to make good choices about trade-offs.
- Hungry, humble, scrappy, and will thrive in fast-paced environments and manage multiple priorities simultaneously.
- 1-3+ years in a pentesting / red teaming role.
- Familiarity with web app pentesting and API pentesting.
- At least 1 of the following certifications: eWPT, CEH, PenTest+, eJPT, Burp Suite Certified Practitioner, or equivalent.
- Knowledge of current attack methods, manual penetration testing techniques, and popular hacking tools (e.g., Nessus, Nmap, Metasploit, Kali Linux, Burp Suite Pro, OWASP ZAP).
- Experience with Hack the Box, Portswigger Academy, or similar learning platforms.
- Fluency in English, with exceptional verbal & written communication. You’re able to convey complex, technical topics to an array of stakeholders in a digestible and compelling manner.
- Project management skills with experience working with cross-functional teams.
- Competitive base salary
- Exceptional private healthcare
- Early equity in a fast-growing company
- Hybrid work-from-home model
- Unlimited PTO
- Home office equipment
- Monthly wellness and home Wi-Fi stipend
Thoropass provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.
This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.
Even if you feel you don’t meet every requirement, consider applying! Thoropass acknowledges the research which shows that women and people of color are less likely to apply for jobs when they don’t meet all of the stated qualifications. However, we’re looking for authentic innovators to blaze new trails and you just may be the right person for this or another role.