Position Title: Senior Penetration Testing, Software Assurance & Vulnerability Assessment Engineer
Location: On-site in a SCIF in the National Capital Region (NCR) - Nebraska Avenue Complex, Washington, DC (work locations transitioning to ICCB Bethesda / St. Elizabeths). Telework is not authorized; a designated Key Person must be available on-site during core hours
Clearance: TS/SCI
Job Summary:Performs advanced penetration testing, vulnerability assessments, and software assurance activities to identify and mitigate security weaknesses across DHS systems.
Education and Experience:- Bachelor's degree in Cybersecurity, Computer Science, or related field or equivalent years of experience.
- CEH, OSCP, GPEN, CISSP, or equivalent experience
- 15+ years of total cybersecurity experience, with demonstrated SME-level depth across the following disciplines:
- 5+ years conducting penetration testing across multiple domains (network, application, red team, physical, and/or wireless)
- 5+ years in software assurance, including secure code review, threat modeling, SAST/DAST tooling, and vulnerability analysis across multiple languages and platforms
- 4+ years in enterprise patch management and vulnerability remediation, including prioritization frameworks (CVSS, EPSS), SLA enforcement, and remediation validation
- 4+ years architecting, assessing, and securing cloud environments (AWS, Azure, GCP) and/or Cross Domain Solutions (CDS), including cloud-native attack surface analysis
- Significant experience supporting DHS, Intelligence Community (IC), or other federal agency programs, with deep familiarity with RMF, ICD 503, NIST 800-53/800-115, and related compliance frameworks
- Experience briefing findings and recommendations to senior leadership, program managers, and authorizing officials
Essential Duties: - Conduct advanced penetration testing and vulnerability assessments across networks, applications, AI systems, cloud environments, and DevSecOps pipelines
- Employ both automated tooling and sophisticated manual techniques to identify, validate, exploit, and analyze security weaknesses across complex, multi-domain environments
- Perform red team operations and adversary emulation exercises aligned to MITRE ATT&CK TTPs, simulating realistic threat actor behavior against classified and unclassified systems
- Conduct secure code reviews, static and dynamic application security testing (SAST/DAST), and software assurance activities across multiple languages and platforms
- Assess Cross Domain Solutions (CDS), cloud-native architectures, and hybrid environments for misconfigurations, privilege escalation paths, and lateral movement opportunities
- Analyze and correlate findings across assessments to identify systemic vulnerabilities and patterns, not just individual weaknesses
- Lead and direct penetration test programs across multiple concurrent systems, coordinating scope, scheduling, and resource allocation
- Develop, maintain, and continuously improve penetration testing methodologies, playbooks, and Standard Operating Procedures (SOPs)
- Serve as a subject matter expert and technical authority on offensive security techniques, vulnerability research, and exploit development