Key skills
AWSCloudJavaLinuxSpringSpring BootSpringBootRESTfulLeadershipPenetration TestingWAF
About this role
Role Overview
- Lead and deliver advanced penetration testing across web applications, RESTful APIs, backend services, mobile connected services and supporting application platforms.
- Assess Java based backend systems, especially Spring Boot services, microservice architectures, API gateways and Backend for Frontend layers.
- Test authentication, authorisation, orchestration, input validation, session handling, token management and data exposure risks across modern digital journeys.
- Carry out security testing across cloud hosted and containerised application environments, ideally on AWS, where platform or configuration weaknesses affect application risk.
- Review outputs from SAST, DAST and related controls, separate noise from genuine risk, and help development teams understand what matters and what should be fixed first.
- Support threat modelling and design review activity by translating design and architecture decisions into sensible testing scope and coverage.
- Support release and project assurance by providing clear views on testing depth, remediation expectations and risk based sign off inputs.
- Help develop practical application security testing standards, playbooks and ways of working that can be applied across BAU and project delivery.
- Develop and mature an internal purple team methodology that can be used alongside security testing activity and external red team exercises.
- Support offensive security planning with Security Testing leadership and Cyber Defence so that simulations and adversary led assessments are tied to the maturity of defensive controls and operational priorities.
- Use strong Linux and Windows knowledge to identify realistic exploitation paths across hosts, applications and supporting services.
- Bring practical knowledge of binary exploitation and lower level technical analysis where it adds value to application, platform or software component assessments.
- Apply ATT&CK aligned thinking when shaping offensive scenarios, attack paths and purple team test cases.
- Use knowledge of exploit chaining, post exploitation tradecraft, EDR and AV evasion concepts, and other offensive security techniques where they improve the realism and value of testing.
- Contribute to selected specialist work, including hardware focused testing or low level technical analysis, where there is a clear business need and the activity supports the wider security testing plan.
- Work with external offensive security partners and turn outputs into practical lessons, follow up actions and measurable improvements.
- Act as a senior technical point of reference within the Security Testing function.
- Coach others in the team and help raise the standard of testing, reporting and technical analysis.
- Improve internal methods, test approaches and reporting so that the function becomes more consistent and easier to scale.
Requirements
- Strong hands on experience in application penetration testing across web applications, APIs and service based architectures.
- Strong understanding of Java based backend systems, especially Spring Boot, RESTful APIs and microservice patterns.
- Experience testing API gateways and Backend for Frontend layers, including authentication, authorisation, orchestration and data validation.
- Practical knowledge of cloud hosted applications, ideally on AWS, including containerised services and common platform security controls.
- Good understanding of modern web and mobile application patterns, enough to assess API consumption, session handling, trust boundaries and data exposure risk.
- Strong practical knowledge of Linux and Windows operating systems, including privilege escalation paths, host weaknesses, credential handling risks and exploitation approaches relevant to application environments.
- Working knowledge of binary exploitation and lower level vulnerability analysis where relevant to application, runtime or platform risk.
- Ability to carry out manual testing beyond automated tooling, including business logic weakness, exploit chaining and cross layer issues.
- Ability to explain findings clearly to both technical and non technical stakeholders and provide practical remediation advice.
- Experience shaping testing approach, methodology or standards rather than only delivering assessments.
- Experience with mobile application assessment.
- Experience with secure code review or code assisted testing.
- Experience with ATT&CK informed assessments, adversary emulation support or purple team exercises.
- Familiarity with EDR and AV evasion concepts, exploit development, vulnerability research or offensive tooling beyond standard application testing.
- Exposure to hardware, embedded or other specialist low level testing techniques.
- Experience in regulated, high availability or transaction critical environments.
- Relevant certifications such as CREST, OSCP, OSWE, OSEP or equivalent demonstrable experience.
- Experience with WAF technology and implementation.
Tech Stack
- AWS
- Cloud
- Java
- Linux
- Spring
- Spring Boot
- SpringBoot
Benefits
- Company Bonus Scheme
- Matched pension contributions up to 8.5%
- 26 days annual leave + 2 Life Days (and bank holidays)
- Single Private Health Cover
- Complimentary Private Medical
- Income Protection
- Flexible Benefits – EV Scheme, Money Coach, Will Writing, Mortgage Advice, Dental and Eye Care Schemes.
- Enhanced Family Leave (Maternity, Paternity, Adoption)
- Wellness Allowance £500
- Employee Assistance Programme
- Discounted Health Assessments
- Volunteering Days
- Matched Funding