Security Assurance Penetration Tester
Role details
Job location
Tech stack
Job description
Are you a collaborative Penetration Tester looking to work for a mission driven global organization?
About the role - This role supports the offensive security function within Elsevier's Security Engineering team. You will perform hands-on security testing and peer review activities, validate vulnerabilities and security controls, and support the automation of security assurance processes. This is a hands-on role for a motivated security professional eager to grow in a collaborative, fast-paced environment.
About the team - The Security Assurance team supports the third-party penetration testing program, security control validation, and ongoing offensive security testing activities.
Responsibilities
- Tracking and triaging findings from third-party assessments, ensuring timely follow-up and remediation tracking.
- Collaborating with development, platform, and product teams to communicate findings, track remediation efforts, and improve overall security posture.
- Facilitating post-assessment reviews and lessons learned sessions with development teams to identify recurring security issues and promote secure development practices.
- Maintaining program documentation, test records, and reporting artifacts.
- Conducting penetration testing of web applications, APIs, cloud environments, and internal systems, escalating complex testing scenarios as needed.
- Performing peer review of penetration testing deliverables, including test plans, findings, and final reports.
- Participating in scoping exercises and contributing to the selection of appropriate testing methodologies.
- Supporting security assessments of GenAI-powered applications and features, including LLM integrations, RAG pipelines, and AI agents.
- Assisting in testing for AI-specific vulnerabilities such as prompt injection, jailbreaking, insecure output handling, model data leakage, and training data poisoning.
- Contributing to the development of internal GenAI security testing checklists and methodologies, aligned with frameworks such as OWASP Top 10 for LLMs.
Requirements
- Experience in information security, penetration testing, or a related field. Experience or coursework in software development, DevOps, or scripting is highly desirable.
- At least one relevant security certification (e.g., Security+, eJPT, PNPT, CEH, or equivalent) preferred; advanced offensive security certifications such as OSCP are a plus.
- Foundational understanding of web application architecture, networking, and operating system security.
- Familiarity with common penetration testing tools (e.g., Burp Suite, Nmap, Metasploit, Nuclei, or equivalent).
- Working knowledge of OWASP Top 10, common CVEs, and vulnerability scoring frameworks (CVSS).
- Scripting ability in at least one language (Python, Bash, PowerShell, or similar); development experience is a strong plus.
- Basic understanding of cloud environments (AWS, Azure, or GCP) and associated security considerations.
- Exposure to SAST/DAST tools and secure code review practices is desirable.
- Awareness of GenAI security risks (prompt injection, LLM abuse, insecure AI integrations)