Job Description: We are seeking an experienced Lead Penetration Tester/Ethical Hacker to oversee a large-scale annual network and application penetration testing project for the State of Arizona’s Department of Economic Security (ADES). The role involves identifying vulnerabilities in 1,500 servers, 5,000 end-user devices, and 100 external-facing systems. The ideal candidate must have extensive experience in performing penetration tests, vulnerability assessments, and working with compliance frameworks (NIST, OWASP, CMS).
Responsibilities:
Lead the overall penetration testing project from planning to execution, including recon, scanning, exploitation, and reporting.
Perform internal and external network penetration testing.
Conduct web application penetration tests on both authenticated and unauthenticated systems.
Simulate cyber-attacks to identify vulnerabilities and weaknesses in network and application security.
Provide detailed reports on findings, risks, and recommendations for remediation.
Ensure compliance with NIST, IRS, CMS, and AHCCCS standards.
Work with a cross-functional team to deliver on all project milestones and ensure timely delivery.
Qualifications:
5+ years of experience in penetration testing, vulnerability assessments, and ethical hacking.
Certifications such as OSCP, CEH, CISSP, or equivalent are preferred.
Strong knowledge of tools such as Burp Suite, Metasploit, Nessus, Nmap, SQLmap.
Experience in testing both network infrastructure and web applications.
Excellent understanding of compliance standards such as NIST 800-53, OWASP, and other relevant frameworks.
Ability to lead a team and communicate effectively with technical and non-technical stakeholders.
Experience working on projects for government or large organizations is a plus.
Screening Questions:
Describe a penetration testing project where you led the team and delivered results successfully. What was the scope of the project, and how did you ensure compliance with relevant standards (e.g., NIST, OWASP)?
What penetration testing tools are you most comfortable with, and how have you used them in past projects? Please provide specific examples.
Have you worked on a government-related project before, and how did you handle the compliance requirements (IRS, CMS, or other)?
How do you handle reporting vulnerabilities to clients? Can you provide an example where your findings led to significant improvements in an organization’s security posture?
Application Submission Instructions:
Candidates must submit their resume along with answers to the provided screening questions. The screening questions will help assess the candidate’s depth of experience and technical expertise related to the scope of the project