Tuesday, November 28, 2023 04:47 Sign In

Non-Tier 1 Pen Tester

Back to Directory


  • Responsible for leading the Penetration Testing phase of the assessment
  • The Pen Tester must be able to interpret and follow the applicable rules of engagement
  • Following penetration testing, the Pen Tester is required to provide test results as an appendix to the assessment report
  • Maintain an accurate list of HVA assets
  • Manage the remediation plans to address all critical and high assessment finds
  • Ensuring plans conform to CISA reporting requirements
  • Create POA&Ms with appropriate milestones
  • Maintain finds and resolutions in the agency-identified data storage system
  • Provide the Agency HVA POC with all HVA assessment reports within 30 days of the assessment’s completion via a CISA-established submission process


  • At least one of the following:
    • Offensive Security Certified Professional (OSCP)
    • Offensive Security Certified Expert (OSCE)
    • Global Information Assurance Certification Pen Tester (GPEN)
    • GIAC Exploit Researcher and Advanced Pen Tester (GXPN)
    • CompTIA PenTest+
    • Cybereason Certified Threat Hunter (CCTH)
    • Cybereason Certified Threat Analyst (CCTA)


  • Must have a Bachelor’s Degree in Computer Science or related field
  • Must have 7 years of relevant experience
  • Must have an active Secret security clearance
  • All Contractors on the HVA assessment team must have completed the CISA’s AES HVA Assessment course and pass all associated examinations necessary for AES qualification
  • Knowledge of penetration testing fundamentals
  • Knowledge of Kali Linux and its toolset, including Metasploit
  • Knowledge of penetration testing tools, including scanners like Nessus and Nmap
  • Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture
    • Obeying appropriate laws and regulations
    • Providing infrastructure analysis
    • Performing analysis of physical, logical, and digital technologies
    • Conducting an in-depth target and technical analysis
    • Creating exploitation strategies for identified vulnerabilities
    • Monitoring target networks
    • Profiling network users or system administrators and their activities


  • This position requires the candidate to come on-site to the facility twice a week (Tuesday & Thursday), and work can be done remotely. The main facility is located in the National Capital Region within the DC Metropolitan area.


  • Salary is based on the number of years of relevant work experience the candidate has.

Please email your resume to our HR Recruiters