Senior Analyst - Penetration Tester

Wymagania: - 5+ years of hands-on penetration testing or offensive security experience, including leading complex engagements. - Strong experience in web and API testing, including OWASP-style issues and business logic/authorization flaws. - Practical experience with Veracode (or a similar SAST/DAST platform) and advanced use of Burp Suite. - Experience testing all three major clouds: Azure, AWS, and GCP. - Hands-on assessment of AD/Azure AD using BloodHound or comparable tooling. - Experience testing AI/ML/LLM-backed systems or AI-enabled features from a security perspective. - Comfortable with planned off-hours work (evenings/weekends) when required, with comp days to keep workload reasonable. - Strong written and verbal communication skills in English. Mile widziane: - Mobile app testing experience (e.g., MobSF, Frida). - Familiarity with additional AD tools (e.g., PingCastle). - Experience building custom scripts, PoCs, or exploits (Python, PowerShell, Bash, etc.) to exercise vulnerabilities and test controls. - Certifications such as OSCP, GPEN, GXPN, CEH or similar. O firmie: - Sysco is the global leader in selling, marketing and distributing food products to restaurants, healthcare and educational facilities, lodging establishments and other customers who prepare meals away from home. Its family of products also includes equipment and supplies for the foodservice and hospitality industries. With more than 71,000 colleagues, the company operates 333 distribution facilities worldwide and serves approximately 700,000 customer locations. For fiscal year 2022 that ended July 2, 2022, the company generated sales of more than $68 billion. Information about our Sustainability program, including Sysco’s 2022 Sustainability Report and 2022 Diversity, Equity & Inclusion Report, can be found at www.sysco.com. Zakres obowiązków: - Lead penetration tests for web and API applications, including modern JavaScript apps, WordPress and Apache-based services. - Use Veracode SAST/DAST and Burp Suite to identify issues, then perform manual testing to uncover logic, authorization, and high-impact vulnerabilities. - Test Azure, AWS and GCP environments using tools like ScoutSuite, Prowler, Pacu (or similar) to find misconfigurations and escalation paths. - Assess Active Directory and Azure AD using BloodHound (and similar tools) to identify and validate attack paths. - Perform security testing of AI/ML/LLM-backed features and integrations to identify data leakage, unsafe integrations and abuse paths. - Manually retest vulnerabilities—primarily on the external attack surface, with some internal scope—to confirm that remediation is effective. - Work with threat hunters and detection engineers to simulate attacks and validate that new or updated detections behave as intended and don’t create excessive noise. - Produce clear reports and explain technical findings, impact and remediation options to both technical and non-technical stakeholders. - Participate in planned evening and weekend testing windows, with weekdays off in exchange so total time stays within normal full-time hours.