Web Application Penetration Tester

As a medior penetration tester, you'll be responsible for delivering high-quality web application security assessments. You'll work on a range of technical environments, supporting senior consultants, collaborating with clients, and mentoring junior colleagues. You have a solid understanding of offensive security and are passionate about identifying and exploiting vulnerabilities in complex applications., * Perform manual and automated penetration tests on web applications, APIs, and related infrastructure.

• Identify, exploit, and document security vulnerabilities in accordance with OWASP, NIST, and other standards.
• Develop custom exploits or proof-of-concept code where applicable.
• Analyze and present assessment results clearly to technical and non-technical stakeholders.
• Write concise, actionable, and technically accurate reports and recommendations.
• Collaborate with red team or infrastructure testing teams on hybrid assessments.
• Contribute to the continuous improvement of tools, methodologies, and internal documentation.
• Support junior team members through peer review and mentoring.
• Stay current with the latest attack techniques, tooling, and security advisories.
• Participate in client meetings, kick-offs, and debriefings., * Flexible work arrangements for all and initiatives supported by Parents & Caregivers @Deloitte
• Wellbeing tips and activities powered by Energise@Deloitte
• Topped off with other health benefits and insurance opportunities

Empowering our employees with flexible work arrangements remains essential in today's reality:

• Hybrid workplace: combination of home office and on-site (+10 offices in Belgium or client's premises).
• Part-time employment: all our jobs are open to full-time or part-time work under a 90% or 80% regime.

Do you have experience in iOS?, * 3-6 years of hands-on experience in web application penetration testing.

• Familiarity with offensive security methodologies and common vulnerability classes (e.g., OWASP Top 10, SSRF, RCE, deserialization, logic flaws).
• Solid experience with manual testing and tools such as Burp Suite, OWASP ZAP, Postman, Nmap, etc.
• Comfortable with scripting (Python, Bash, etc.) for automation and exploitation.
• Strong understanding of HTTP(S), authentication mechanisms, session handling, input validation, etc.
• Experience in reviewing source code or conducting white-box assessments is a plus.
• Familiarity with cloud services (AWS, Azure, GCP) and associated security models is a plus.
• Able to communicate clearly in Dutch + English (spoken and written); other languages a plus.
• Hold or pursuing certifications such as OSCP, eWPT, GWAPT, OSEP (OSWE or OSED is a plus).
• Eligible to work in Belgium; security clearance may be required depending on project.

Nice to haves:

• Participation in bug bounty programs or public CTFs.
• Familiarity with CI/CD security and DevSecOps principles.
• Experience with API security, especially REST.
• Experience with GraphQL.
• Experience working with clients in regulated industries (finance, healthcare, etc.).
• Experience in testing mobile applications on both iOS and Android, including reverse engineering and mobile-specific attack vectors.

Deloitte drives progress. Our firms around the world help our clients become market leaders wherever they compete. Deloitte invests in outstanding people with diverse talents and backgrounds, empowering them to achieve more than they can elsewhere. Our work combines consulting with action and integrity. We believe that when our clients and society are stronger, so are we.