Penetration Tester

Software Secured is a leading Penetration Testing as a Service company, with a head office in beautiful Ottawa, Canada. We help software development teams get ahead of hackers using a suite of services and products.

Our team of pentesters is seeking a pentester to join us and help secure a few hundred additional applications. 

As a  Pentester  at Software Secured, you will have the opportunity to help our clients secure their mission-critical applications. This includes performing security code review, web, mobile, and network security tests. Help clients with security design reviews, threat modelling, and remediation strategies.

What You'll Do

• Run manual penetration tests across web applications, APIs, mobile apps, and network infrastructure — from scoping through testing, reporting, client readout, and retest
• Produce findings that are manually confirmed and exploitable, with remediation guidance a developer can act on without a follow-up call
• Handle nuanced test cases beyond the standard checklist: business logic flaws, authorization edge cases, vulnerability chaining, and environment-specific attack paths
• Present findings directly to client engineering teams and security leads — explaining what was found, why it matters, and how to fix it
• Contribute to security design reviews and threat modelling engagements earlier in the SDLC
• Mentor junior testers on test execution and report quality; contribute to methodology improvements, tooling, and internal playbooks
• Develop domain depth in one or more service areas (web, network, mobile, code review) through our Domain Expertise Program — with formal recognition and stipend for engineers who build expertise that makes the whole team stronger

What We're Looking For

• 2+ years of hands-on manual penetration testing — not scanner-assisted, manual
• Demonstrated ability to run standard engagements end-to-end with minimal oversight: scope, test, report, readout, retest
• Finds that go beyond OWASP Top 10 basics — business logic issues, complex auth flaws, chained vulnerabilities
• Reports that are client-ready with low rework: technically accurate, clearly written, correctly risk-rated
• Software development background in one or more of Python, .NET, Ruby, or Java — you understand how the thing was built, not just how to break it
• Strong communication skills in both directions: writing that doesn't require a translator and calls where you can hold your own in front of an engineering team
• Located in Canada and eligible to work (citizen, permanent resident, or valid work visa)

Nice to Have

• OSCP, OSCP+, or GWAPT
• Experience across multiple service areas (web + mobile, or web + network)
• Familiarity with compliance frameworks that drive our clients' security programs: SOC 2, ISO 27001, PCI DSS, HIPAA

What we are offering: 

Competitive base salary 

Work remotely anywhere in Canada (you're welcome to work in the Ottawa office when you'd like the option).

Work remotely from anywhere in the world for up to 2 months per year.

Yearly profit-sharing between 5 - 12% of your base salary, based on your performance.

Perks such as: monthly UberEats budget, annual home office stipend.

3 weeks of vacation to start. Additionally, the whole company is off for the week between Christmas and the New Year.

Parental, bereavement and child loss leave.

You will receive a great health benefits package (includes dental, vision, practitioners, etc.).