Senior Associate, Cybersecurity, Mid-Level Penetration Tester (Web and Mobile Application)

Ankura is a team of excellence founded on innovation and growth.

Practice Overview:

We are seeking a Mid-Level Penetration Tester with a focus on Web, API, and Mobile Application security assessments to join our consulting team. This role requires not only hands-on penetration testing skills but also the ability to engage with clients, provide security advisory services, and offer remediation guidance. The ideal candidate will possess strong technical expertise and consulting skills to effectively communicate risks and solutions to both technical and non-technical stakeholders. Occasionally, the role may involve network and wireless penetration testing and social engineering.

This role is remote, based in the United States.

Responsibilities:

Technical Execution (75%)

• Conduct manual and automated penetration tests on web applications, APIs (REST, GraphQL, SOAP), and mobile applications (Android/iOS).

• Perform black-box, gray-box, and white-box assessments to identify and exploit security weaknesses.

• Utilize industry-standard tools such as Burp Suite Pro, Postman, OWASP ZAP, MobSF, APKTool, Frida, Objection, and related tools.

• Perform source code reviews to identify security flaws in web and mobile applications.

• Develop and execute API security testing strategies, including authentication/authorization testing, token manipulation, and business logic testing.

• Assess mobile app security through reverse engineering, static analysis, dynamic analysis, and runtime instrumentation.

• Stay current with emerging vulnerabilities, attack vectors, and security best practices (e.g., OWASP Top 10, API Security Top 10, MASVS).

• Occasionally conduct network and wireless penetration testing to identify vulnerabilities in these areas.

Consulting & Client Engagement (25%)

• Effectively communicate findings, risk impact, and remediation strategies to clients, including both technical and executive-level audiences.

• Develop and deliver technical reports, presentations, and remediation guidance tailored to clients' business needs.

• Collaborate with development teams, security engineers, and DevOps teams to implement secure coding practices.

• Conduct security training, tabletop exercises, and security awareness sessions for clients.

• Participate in client scoping calls, proposal writing, and pre-engagement discussions.

• Support security strategy, compliance efforts (PCI DSS, HIPAA, ISO 27001, etc.), and security roadmap development.

Requirements:

• 3–5 years of experience in penetration testing, focusing on web applications, APIs, and mobile apps.

• Proficiency with tools such as Burp Suite Pro, Postman, OWASP ZAP, MobSF, APKTool, Frida, Objection, and related tools.

• Strong understanding of OWASP Top 10 (Web, API, Mobile) and other security frameworks.

• Experience testing authentication mechanisms, including OAuth, JWT, SAML, and API key-based authentication.

• Familiarity with GraphQL security testing and API fuzzing techniques.

• Experience in mobile app security testing, including SSL pinning bypass, root/jailbreak detection bypass, and dynamic analysis.

• Strong written and verbal communication skills for client reporting and presentations.

• Ability to translate technical risks into business impact for clients.

• Willingness to travel up to 25% for client meetings, assessments, and industry conferences.

• Ability and willingness to perform network and wireless penetration testing and social engineering when required.

• Applicants must be currently authorized to work in the United States without the need for visa sponsorship now or in the future.

Preferred Qualifications:

• Industry certifications such as OSCP, GWAPT, OSWE, OSEP, OSEE, GMOB, or OSCE3

• Familiarity with cloud security (AWS, Azure, GCP) and API security gateways.

• Experience with secure SDLC, threat modeling, and DevSecOps integration.

• Understanding of container security (Docker, Kubernetes).

• Public speaking experience (e.g., conferences, webinars, client presentations).

• Experience contributing to open-source security tools or bug bounty programs.

For individuals assigned and/or hired to work in California, Colorado, or New York, Ankura is required to include a reasonable estimate of the compensation range for this role. This compensation range is specific to the said markets and considers a broad range of factors including but not limited to skill sets, experience and training, licensure and certifications, and other business and organizational needs. The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the position may be filled. The range does not include additional benefits outside of salary. At Ankura, it is not typical for an individual to be hired at or near the top of the range for their role and compensation decisions are dependent on the facts and circumstances of each role. A reasonable estimate of the current base pay range is between $85,000 to $200,000; this range is not a promise of a particular wage.

#LI-remote

#LI-AL1

Ankura is an Affirmative Action and Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or protected veteran status and will not be discriminated against based on disability. Equal Employment Opportunity Posters, if you have a disability and believe you need a reasonable accommodation to search for a job opening, submit an online application, or participate in an interview/assessment, please email accommodations@ankura.com or call toll-free +1.312-583-2122. This email and phone number are created exclusively to assist disabled job seekers whose disability prevents them from being able to apply online. Only messages left for this purpose will be returned. Messages left for other purposes, such as following up on an application or technical issues unrelated to a disability, will not receive a response.