Our Jobs

PENETRATION TESTER

Apply Now

Job Details

Job type icon
Full Time
Location icon
Shah Alam
Department icon
Security and Infrastructure
Education icon
Bachelor’s degree in Computer Science or a related field

About the role?

We’re looking for a pragmatic, detail-obsessed Penetration Tester who can assess modern web/mobile/cloud applications, back-end servers and networks and produce PCI-DSS and ISMS-grade evidence and remediation guidance.

Key Responsibilities

  • Perform source code security reviews (Java/NET/Python/Node/Go/etc) to find logic flaws, authentication/authorization bugs, injection risks, insecure deserialization, secrets in source, crypto misuse, and insecure third-party libs.
  • Perform in-depth Node js / JavaScript source-code reviews (Express, NestJS, Next js, serverless functions) focusing on authentication/authorization logic, async/await pitfalls, prototype pollution, SSR/CSR vulnerabilities, insecure deserialization, insecure use of eval()/Function(), improper input validation, and unsafe third-party NPM packages.
  • Assess Node js runtime and package-related risks (dependency chain vulnerabilities, unsafe native modules, environment variable/secret handling, npm/yarn lockfile issues), and recommend SCA/SBOM improvements.
  • Conduct server and OS hardening assessments, privilege escalation analysis, and persistence technique discovery.
  • Run authenticated and unauthenticated test scenarios; produce reproducible exploits or proof-of-concepts where safe and permitted.
  • Produce audit-grade deliverables: executive summary, technical findings, impact/risk ratings, CVSS mapping, step-by-step exploitation evidence, and prioritized remediation guidance suitable for PCI-DSS and ISO27001 audits.
  • Collaborate with developers and infra engineers to validate fixes and re-test remediations.
  • Design and maintain internal pentest methodologies, checklists and playbooks aligned to PCI-DSS (such as penetration testing requirements) and ISMS controls (Annex A).
  • Participate in threat modelling, secure code training, and vulnerability triage sessions.
  • Keep pentest tooling, scripts, and knowledge up to date contribute to automation for repeatable testing (CI/CD scans, SCA, DAST, SAST pipelines).
  • When required, coordinate with Approved Scanning Vendors (ASVs), QSAs, or external auditors for compliance validation.

Requirements

  • 4+ years hands-on penetration testing or red-team experience (application & infra).
  • Proven experience performing source code reviews and mapping code findings to secure design fixes.
  • Strong web & API testing skills (such as XSS, SQLi, SSRF, IDOR, auth bypasses, logic flaws).
  • Solid network & systems pentest skills port/service enumeration, network pivoting, segmentation checks, privilege escalation, and AD/LDAP attack experience.
  • Comfortable testing cloud environments (resource misconfigurations, storage exposure, IAM privilege abuse).
  • Experience with modern development stacks, container platforms, and CI/CD pipelines.
  • Familiar with vulnerability scoring (CVSS), risk ratings, and audit evidence requirements.
  • Experience producing formal pentest reports and remediation tickets for compliance audits.
  • Excellent Linux and Windows command-line skills and scripting (Python, Bash, PowerShell).
  • Tool proficiency: Burp Suite (Pro), Nmap, Metasploit, SQLMap, Snyk/Dependabot/Trivy/Clair (or similar), Git secrets, Gitleaks, dynamic scanners, and fuzzers.
  • Strong written and verbal communication able to translate technical risk into business impact.