Security Engineer (Offensive Security Consultant)

Secure Yeti is seeking an Offensive Security Consultant to join our agile, high-performing security consulting team. This is a hands-on, client-facing role focused on delivering high-quality penetration testing and security assessments across modern environments. You will work directly with clients, engineers, and fellow consultants to identify real-world security risk and clearly document findings with practical remediation recommendations.

We are focused on finding the right fit for our team and welcome candidates with varying levels of offensive security experience; role scope, title, and compensation will be aligned to demonstrated skills, experience, and alignment with our values of collaboration, inclusion, and integrity.

What You’ll Do

• Perform manual penetration testing of web applications and APIs, identifying vulnerabilities related to authentication, authorization, session management, input validation, and business logic.
• Lead and execute scoped penetration testing engagements across authorized environments, including internal networks and Active Directory, cloud and identity platforms (AWS, Azure, GCP, M365/Entra ID), and wired or wireless infrastructure.
• Conduct end-to-end testing activities within approved scope and authorization, applying offensive techniques such as exploitation, privilege escalation, lateral movement, and post-exploitation while maintaining appropriate OPSEC discipline.
• Leverage and customize commercial and open-source security tools (e.g., Burp Suite, Nmap, Metasploit) and develop supporting scripts or tooling as needed to enhance testing effectiveness.
• Perform Security Control Assessments (SCAs) aligned to NIST 800-53, validating control implementation and effectiveness.
• Clearly document findings, impact, and remediation in written reports and present results to clients, explaining risk to both technical and executive audiences.
• Collaborate with and mentor team members, contribute to internal capability building, and stay current on emerging vulnerabilities and offensive security techniques.

Required Qualifications       

• U.S. Citizen residing in the U.S.
• Bachelor’s degree in information technology, computer science, or a related field.
• Ability to pass a federal background check, drug test, credit check, and maintain eligibility for a U.S. Government security clearance.
• Availability during standard business hours (8:00 AM–5:00 PM CST) with flexibility for client needs.
• Demonstrated hands-on experience performing manual web application and API penetration testing, plus depth in at least one additional offensive security domain, such as internal network and Active Directory testing, cloud and identity platform security (AWS, Azure, GCP, M365/Entra ID), or other infrastructure-based penetration testing.
• Ability to independently manage penetration testing engagements within defined scopes and timelines, including handling multiple concurrent engagements.
• Experience working in client-facing or consulting environments, with strong written and verbal communication skills and the ability to produce clear, actionable technical reports and executive-level summaries.

Bonus Qualifications

• Advanced experience with cloud security and enterprise network exploitation, including Active Directory, M365, AWS, and GCP.
• Proficiency in programming/scripting (e.g., Python, JavaScript, C#, PowerShell, Bash) for tool development, automation, and payload customization.
• Knowledge of defensive controls and evasion techniques.
• Familiarity with security testing standards and frameworks (e.g., NIST 800-53, OWASP, MITRE ATT&CK).
• Experience conducting firewall configuration reviews to assess rulesets and validate compliance with security standards.
• Experience performing secure code reviews to identify vulnerabilities and enforce best practices.
• Experience conducting, or demonstrated interest in, social engineering assessments, including phishing, vishing, or in-person social engineering, with an understanding of ethical constraints, client authorization, and engagement scope.
• Certifications such as GPEN, GXPN, GWAPT, or OSCP preferred.

Benefits:

• 12 paid holidays annually
• Flexible time off policy
• 401(k) with up to 5% company match
• Health, Vision, Dental, ST/LT Disability, and Life Insurance