Consultant, Application Security Penetration Tester

Coalfire is on a mission to make the world a safer place by solving our clients' hardest cybersecurity challenges. We work at the cutting edge of technology to advise, assess, automate, and ultimately help companies navigate the ever-changing cybersecurity landscape. We are headquartered in Denver, Colorado with offices across the U.S. and U.K., and we support clients around the world.

We are thought leaders, consultants, and cybersecurity experts, but above all else, we are a team of passionate problem-solvers who are hungry to learn, grow, and make a difference.

Coalfire's AppSec team is composed of highly specialized application security testers. Not only are we hackers, but trusted advisors, where true consultancy shines through. At Coalfire, we take pride in being a partner to our clients. On our AppSec team, you work individually, but also in large groups depending on engagements. Come join our fun team where you can showcase your abilities, deepen your technical skills, expand your knowledge, be mentored while mentoring others, and have a great time while doing it.

What You'll Do

• Perform application security assessments using penetration testing, threat modeling, and code review techniques.
• Identify and remediate security vulnerabilities in web applications, APIs, cloud environments, and enterprise systems.
• Conduct API security testing (SOAP, REST, GraphQL) and evaluate authentication/authorization mechanisms.
• Analyze network security controls, including firewalls, SSL/TLS, encryption, and VPN configurations.
• Collaborate with development teams to integrate security into the Secure Development Life Cycle (SDLC).
• Conduct code reviews across various languages to identify security flaws and vulnerabilities.
• Work with cloud security testing methodologies and ensure compliance with security standards.
• Provide clear, well-written reports with actionable recommendations.
• Consult with clients to explain findings, address security concerns, and provide remediation guidance.
• Support mentorship and knowledge sharing within the team.
• Lead and support penetration testing projects from start to finish.
• Contribute to thought leadership through blog posts, conference talks, and R&D initiatives.
• Stay up to date with security policies, industry best practices, and emerging threats.

What You'll Bring

• A sense of humor and a good collection of memes and GIFs!
• Strong knowledge of OWASP Top 10 and ability to explain vulnerabilities and attack vectors.
• Hands-on experience with web application security testing and exploits.
• Proficiency in Linux, VMWare, and GitHub for security assessments.
• Working knowledge of popular web technologies like .NET, Java EE, Node.js, Rails, or JavaScript.
• Familiarity with code scanning and dynamic analysis tools.
• Expertise in API security testing and protocol handling.
• Experience working with cloud security principles (AWS, GCP, Azure).
• Understanding of IAM policies and security configurations in cloud environments.
• Strong problem-solving and critical-thinking skills.
• Ability to work independently and collaborate with teams effectively.
• Strong time management and ability to meet deadlines.
• Excellent verbal and written communication skills - able to explain findings to technical and non-technical stakeholders.
• Open to constructive feedback and continuous learning.
• A passion for mentorship and knowledge sharing.
• A client-centric mindset with a high level of professionalism and collaboration.
• Bachelor's degree (four-year college or university) or equivalent combination of education and work experience.

Bonus Points

• Experience with AWS security concepts (IAM, STS, security controls, serverless architectures).
• Hands-on experience with AWS services like S3, SQS, SNS, Lambda, and API Gateway.
• Familiarity with DevSecOps, CI/CD security, and infrastructure automation.
• Experience in mobile security (iOS/Android) and IoT testing.
• Deep understanding of network and host-based penetration testing methodologies.
• AWS Cloud Practitioner
• AWS Certified Security - Specialty
• Offensive Security Certified Professional (OSCP)

The salary range listed is a reasonable estimate of the compensation range for this role based on national salary averages. The actual salary offer to the successful candidate will be based on job-related education, geographic location, training, licensure and certifications and other factors. You may also be eligible to participate in annual incentive, commission, and/or recognition programs.

Why You'll Want to Join Us

At Coalfire, you'll find the support you need to thrive personally and professionally. In many cases, we provide a flexible work model that empowers you to choose when and where you'll work most effectively - whether you're at home or an office.

Regardless of location, you'll experience a company that prioritises connection and wellbeing and be part of a team where people care about each other and our communities. You'll have opportunities to join employee resource groups, participate in in-person and virtual events, and more. And you'll enjoy competitive perks and benefits to support you and your family, like paid parental leave, flexible time off, certification and training reimbursement, digital mental health and wellbeing support membership, and comprehensive insurance options.

At Coalfire, equal opportunity and pay equity is integral to the way we do business. All qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran. Coalfire is committed to providing access, equal opportunity, and reasonable accommodation for individuals with disabilities in employment, its services, programs, and activities.