Manual Application Penetration Tester (Web & API)

🌍 Remote, USA 🎯 Full-time 🕐 Posted Recently

Job Description

Job Title:

Manual Application Penetration Tester (Web & API)
Contract Type:

Contract
Role Overview

We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation.

Perform manual application penetration testing of:
Web applications
REST & SOAP APIs
Mobile applications (iOS/Android – nice to have)
Thick client applications (where applicable)
Conduct business logic testing, threat modeling, and application architecture reviews
Identify and exploit vulnerabilities including (but not limited to):
IDOR / BOLA
Authentication & authorization flaws
Session management issues
Injection flaws (SQLi, XSS, XXE, etc.)
Logic flaws missed by automated scanners
Perform objective-based and abstract penetration testing engagements
Develop and demonstrate proof-of-concept (PoC) exploits
Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.)
Present findings via live demos, written reports, and client readouts
Clearly communicate risks, impact, and remediation guidance
Work independently with minimal oversight while meeting delivery timelines

5+ years of recent experience in manual application penetration testing
Strong experience testing:
Web applications
APIs (REST / SOAP)
Hands-on expertise with Burp Suite Pro
Proven ability to perform manual exploitation (not scanner-only testing)
Experience communicating results to both technical and non-technical stakeholders
Ability to lead remediation discussions and retesting efforts
Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience