Application Penetration Tester

Location: Remote Department: Application Security / Offensive Security Reports To: Application Security Leadership Job Overview OnDefend is seeking an Application Penetration Tester to support application security assessments across a growing portfolio of client engagements. This role is responsible for conducting hands-on security testing of web, mobile, and API-based applications and validating the effectiveness of implemented security controls. The Application Penetration Tester performs manual and automated testing activities, including penetration testing, source code review, and adversarial tradecraft emulation. This role works closely with other testers, Technical Project Managers (TPMs), and stakeholders to identify security risks and provide actionable remediation guidance. Testers are expected to continuously improve their tradecraft through research, collaboration, and professional development. Key Responsibilities • Application Security Testing & Assessment Execution • Conduct technical security testing of web and mobile applications, including: • Manual application penetration testing • Vulnerability validation and exploitation • Security control validation • Perform source code review to identify security weaknesses and logic flaws • Implement static and dynamic security testing techniques (SAST, DAST, SCA) • Validate security controls protecting applications and backend services • Leverage adversarial tradecraft and threat intelligence to design and execute assessments Security Analysis & Findings Development • Identify, analyze, and validate vulnerabilities across application layers • Assess risk impact and likelihood to support accurate severity ratings • Develop clear and reproducible findings, including technical evidence and attack narratives • Provide remediation recommendations aligned with secure coding and architectural best practices Reporting & Stakeholder Communication • Triage, document, and publish security findings in accordance with reporting standards • Communicate findings and recommendations to technical and non-technical stakeholders • Support development of executive summaries, technical narratives, and presentations • Collaborate with TPMs to support assessment timelines and delivery milestones Tooling, Automation & Tradecraft Development • Utilize industry-standard testing tools such as Burp Suite Pro and related extensions • Leverage automated testing and monitoring solutions within CI/CD pipelines • Develop or modify custom tooling, scripts, or processes to improve assessment effectiveness • Propose new assessment approaches based on prior findings and evolving threat landscapes Research, Innovation & Program Support • Perform security research to stay current on emerging vulnerabilities and attack techniques • Contribute to knowledge sharing and innovation within the testing team • Support additional program initiatives or operational tasks as assigned Required Qualifications • 3+ years of experience performing application penetration testing or equivalent experience • Equivalent experience may include extensive application development with security testing exposure • Strong background in application, network, and system security • Experience testing web and mobile applications and their backend services • Experience working with Windows and *nix-based systems • Understanding of application deployment architecture including containers, container orchestration, and cloud functions. • Ability to read, write, and understand code in multiple programming languages, including: • Python, Java, JavaScript, Golang, C/C++, C#, Bash, Ruby, or similar • Hands-on experience with application security testing tools, including Burp Suite Pro • Familiarity with SAST, DAST, and SCA tools such as Burpsuite, ZAP, Postman, Coverity, Blackduck, Checkmarx, Semgrep, and others. Preferred Qualifications • Experience conducting mobile application security testing (iOS and Android) • Experience with API security testing and authorization logic validation • Experience with Docker and Kubernetes security testing • Familiarity with cloud security testing (AWS, Azure, Oracle) • Experience reverse engineering mobile applications, including obfuscation or anti-emulator protections • One or more industry certifications such as: • OSCP, GWAPT, GPEN, GXPN, eWPT, CASE, GSSP-Java/.NET, or similar • Active contributions to the security community (research, CVEs, blogs, open-source, conferences) How This Role Fits Into Delivery The Application Penetration Tester owns technical discovery, validation, and analysis of application security risks. Testers collaborate with peers and TPMs to ensure assessments are executed thoroughly and findings are delivered accurately and on time. Documentation quality and delivery coordination are supported by TPMs and Technical Writers, allowing testers to focus on technical depth and tradecraft excellence. Important Note: Applicants must be authorized to work in the United States on a full-time basis without the need for current or future employer sponsorship Apply tot his job