Penetration Tester - Offensive Security

About Malleum

Malleum is at the forefront of next-generation cyber defense, partnering with marquee clients across space, aerospace, defense , government, financial services, and critical infrastructure. We're experiencing exceptional growth as demand accelerates for trusted advisors capable of delivering at the intersection of national security, allied intelligence cooperation, and enterprise resilience. Our offensive security consultants test the systems behind cutting-edge defensive technologies, sovereign space capabilities, and allied programs — finding the gaps before adversaries do, on networks that protect missions of genuine national consequence.

If you take pride in breaking things ethically – and helping the most consequential organizations build back stronger – Malleum is where your craft meets purpose.

The Opportunity

We're seeking a Penetration Tester to deliver hands-on offensive security engagements across client networks, applications, cloud environments, and operational technology. You'll work directly within client environments – including sovereign, regulated, and cleared settings – emulating real-world adversaries, documenting findings, and partnering with clients to drive meaningful remediation.

This is a hands-on consulting role for a practitioner who blends deep technical tradecraft with strong client presence and the discipline to deliver findings clearly, safely, and on schedule.

What You'll Do

• Scope, and execute penetration tests across external, internal, web application, API, mobile, cloud (Azure / AWS / GCP), wireless, and Active Directory targets
• Conduct red team and adversary emulation engagements aligned to MITRE ATT&CK, executing realistic TTPs against client environments
• Perform assumed-breach assessments, internal pivoting, privilege escalation, and lateral movement exercises
• Support purple team exercises in partnership with client SOC and Malleum's IR practice to improve detection and response
• Execute social engineering campaigns (phishing, vishing, physical) where contracted, with rigorous rules of engagement
• Conduct cloud configuration reviews against CIS Benchmarks, CSA CCM, and provider-specific baselines
• Support OT / ICS / SCADA security testing for defense and critical-infrastructure clients (with appropriate safety controls)
• Develop custom tooling, scripts, and payloads (PowerShell, Python, C#, Go) to evade modern EDR and ZTNA controls during sanctioned engagements
• Produce high-quality client deliverables: executive summaries, technical findings, reproduction steps, evidence, CVSS-scored risk ratings, and pragmatic remediation guidance
• Deliver findings briefings to client stakeholders — from engineers to executive leadership and boards — with clarity and professionalism
• Contribute to scoping, estimation, statements of work, and continuous improvement of Malleum's offensive security service offerings
• Maintain meticulous engagement hygiene: rules of engagement, scope control, evidence handling, and safe-listing coordination
• Participate in research, internal tooling development, CTFs, and conference contributions to grow Malleum's offensive capability and brand

What You Bring

• 4+ years of professional penetration testing or red team experience, ideally in a consulting, MSSP, or in-house offensive security team
• Demonstrated success working directly with clients — strong communication, professionalism, and stakeholder management skills
• Deep working knowledge of network, web application, and Active Directory attack paths (Kerberoasting, AS-REP roasting, NTLM relay, ADCS abuse, BloodHound-driven pathing)
• Hands-on proficiency with offensive tooling: Burp Suite Pro, Nmap, Nessus / Nuclei, Metasploit, Cobalt Strike, Sliver, Mythic, Impacket, BloodHound, CrackMapExec / NetExec, Responder, Mimikatz, and modern C2 frameworks
• Strong scripting skills in Python, PowerShell, and Bash; comfort reading and modifying C#, Go, or Rust tooling
• Experience evading or bypassing EDR (Defender, CrowdStrike, SentinelOne), AMSI, and modern Windows defenses
• Familiarity with cloud attack paths in Azure / Entra ID (Pass-the-PRT, illicit consent grants, managed identity abuse) and AWS (IAM privilege escalation, metadata service abuse)
• Solid grasp of ZTNA and identity-aware perimeters (e.g., Cloudflare Access, Zscaler, Entra Conditional Access) and how they reshape attacker tradecraft
• Comfort emulating adversary TTPs mapped to MITRE ATT&CK and known threat-actor playbooks
• Familiarity with testing standards: PTES, OWASP WSTG / MASTG / ASVS, NIST SP 800-115, OSSTMM
• Awareness of compliance contexts that frame client expectations: PCI DSS, SOC 2, NIST 800-171 / CMMC, CPCSC, ITSG-33, ISO 27001:2022
• Certifications such as OSCP, OSEP, OSWE, OSCE3, CRTO, CRTL, GPEN, GXPN, GWAPT, GMOB, GCSA / GPCS / GCLD (cloud), AWS Certified Security – Specialty, Microsoft SC-100 / AZ-500 strongly preferred; OSCP or equivalent practical certification (e.g., CRTO, HTB CPTS, PNPT) is a baseline expectation
• Demonstrated ability to perform under pressure — calm, methodical, and ethical when engagements surface sensitive findings
• Willingness and availability to work odd hours and extended shifts when supporting time-boxed red team windows, after-hours testing, or rapid-response offensive support during active IR matters
• Comfort working across multiple client environments, tooling stacks, and rules-of-engagement simultaneously
• Eligibility for Government of Canada security clearance (Secret or higher); existing clearance highly valued; or controlled-goods registration considered an asset
• Bilingualism (English/French) considered a strong asset

Why Malleum

• Test the systems behind programs with genuine national and allied security impact – across aerospace, defense, and critical infrastructure
• Join a rapidly scaling firm with a flat, high-trust culture and direct access to senior offensive, IR, and engineering leaders
• Exposure to a wide variety of advanced targets, sectors, and cleared environments
• Dedicated research time, lab budget, and support for conference talks, CVE research, and open-source contributions
• Competitive compensation, performance incentives, and comprehensive benefits
• Continuous learning budget, certification sponsorship (OSCP, OSEP, OSWE, CRTL, SANS), and clear paths into senior red team, exploit development, or offensive research specializations

Malleum is an equal opportunity employer. We welcome applications from all qualified candidates and are committed to building a team that reflects the communities and missions we serve.