← all jobs

[Remote] Security Engineer, Penetration Testing

Work from home Full-time role Hiring

Note: The job is a remote job and is open to candidates in USA. ISC2 is a leading nonprofit member organization for cybersecurity professionals, committed to a safe and secure cyber world. The Security Engineer, Penetration Testing role involves executing offensive security assessments and building defensive engineering controls to enhance ISC2’s security posture.

Responsibilities

  • Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
  • Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
  • Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
  • Perform social engineering assessments, including phishing simulations and physical security testing as authorized
  • Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
  • Support red team exercises and adversary simulation activities to test detection and response capabilities
  • Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
  • Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
  • Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
  • Design and implement security controls across ISC2’s cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
  • Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
  • Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
  • Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
  • Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
  • Support ISC2’s ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
  • Miscellaneous duties as assigned

Skills

  • Bachelor's degree in Computer Science, Information Security, Cybersecurity, or related field. Will consider candidates with a high school diploma and at least eight (8) years of experience in cybersecurity
  • 4+ years of experience in cybersecurity, with a demonstrable mix of offensive security (penetration testing) and defensive/engineering work (control implementation, architecture review, or SSDLC)
  • Ability to travel up to 5% of the time
  • Work normal business hours and extended hours when necessary
  • Remain in a stationary position, often standing or sitting, for prolonged periods
  • The role requires the ability to work at a computer for extended periods and communicate effectively through written and verbal channels
  • Regular use of office equipment such as a computer/laptop and monitor computer screens
  • Dexterity of hands and fingers to operate a computer keyboard, mouse, and other computer components
  • Proficiency with penetration testing tools including Burp Suite, Metasploit, Nmap, Nessus, Cobalt Strike, and similar offensive frameworks
  • Strong understanding of web application vulnerabilities (OWASP Top 10), network protocols, Active Directory attack paths, and cloud security (Azure, AWS, GCP)
  • Effective written and verbal communication with cross-functional teams is essential
  • Scripting and automation proficiency in Python, Bash, or PowerShell; ability to write or modify exploit code as well as defensive tooling
  • Familiarity with MITRE ATT&CK, CVSS, CVE, NIST SP 800-115, and the CIS Benchmarks for secure configuration baselines
  • Posess AI literacy and ability to test Ai workloads and infrastructures
  • Integrity & Ethics: Operates with the highest standard of professional ethics; treats privileged access, sensitive findings, and organizational data with strict confidentiality
  • Analytical Thinking: Applies a structured, adversarial mindset to both offensive assessments and defensive design; bridges exploit research with practical engineering solutions
  • Communication: Clearly articulates complex technical vulnerabilities and risk in written reports and verbal briefings to both technical and non-technical stakeholders
  • Collaboration: Partners effectively with developers, architects, and operations staff to drive meaningful security improvements without disrupting business operations
  • Continuous Learning: Actively pursues knowledge of emerging threats, tools, and techniques; contributes insights to team knowledge sharing
  • Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure
  • Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives
  • Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM)
  • Perform social engineering assessments, including phishing simulations and physical security testing as authorized
  • Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences
  • Support red team exercises and adversary simulation activities to test detection and response capabilities
  • Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method
  • Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable
  • Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management
  • Design and implement security controls across ISC2's cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD
  • Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations
  • Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring
  • Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation
  • Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements
  • Support ISC2's ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29)
  • Miscellaneous duties as assigned
  • Relevant certifications strongly preferred: OSCP, GPEN or GWAPT, plus one engineering/architecture credential (CISSP, CSSLP, or equivalent)
  • ISC2 membership or certifications (CISSP, CC) are a plus and demonstrate alignment with ISC2's mission
  • Experience supporting ISO/IEC 27001, SOC 2, PCI-DSS, or similar compliance programs is a plus

Company Overview

  • ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. It was founded in 1989, and is headquartered in Alexandria, Virginia, USA, with a workforce of 201-500 employees. Its website is https://www.isc2.org.
  • More open positions

    [Remote] Co-Op: Financial Data Engineer

    Work from home Full-time role

    [Remote] Software Engineer

    Work from home Full-time role

    [Remote] Network Engineer

    Work from home Full-time role

    [Remote] Global Commodity Manager - Semiconductor

    Work from home Full-time role

    [Remote] Business Analyst – Consulting Manager – Banking and Financial Services

    Work from home Full-time role

    Sales Associate & Anaylst- ISD

    Work from home Full-time role

    Lead Application Developer - Back-End (m/f/d)

    Work from home Full-time role

    Remote Data Entry Specialist – Flexible Home‑Based Market Research & Survey Analyst

    Work from home Full-time role

    [Remote] Workshop Coordinator and Marketing Assistant

    Work from home Full-time role

    Community Based Mental Health Assessor (LPC or LCSW)

    Work from home Full-time role

    Sales Development Manager

    Work from home Full-time role

    Experienced Full Stack Customer Care Manager – Virtual Travel Experience

    Work from home Full-time role

    Sales Freelancer (commission) [EMEA] – Unique Corporate Wellness Experiences [BE-BRU]

    Work from home Full-time role

    Supervisor, Revenue Operations (ROPS)

    Work from home Full-time role

    Senior DevOps Engineer - Financial Company - (Remote/LATAM)

    Work from home Full-time role

    Associate Enterprise Partner Success Manager

    Work from home Full-time role

    Remote Data Entry Specialist – Logistics Operations Support | Work From Home | Entry-Level Opportunity with Growth Potential at careerzynith

    Work from home Full-time role

    Director of SEO & AI Search (Remote - West Coast Only & PST Hours)

    Work from home Full-time role

    Behavioral Health Counselor - Remote

    Work from home Full-time role

    Senior Mechanical Designer – Opto‑Mechanical Systems & High‑Volume Manufacturing – Remote – $30/hr – careerzynith

    Work from home Full-time role

    Lead Mobile (iOS) Developer (Remote)

    Work from home Full-time role