Senior Mobile Penetration Tester

About the position U.S. Bank is seeking a Senior Penetration Tester (Mobile/Web/Cloud) with demonstrated competence and experience to contribute toward the success of our information security program. As a Senior Penetration Tester, you will be responsible for assessing the security of our web/mobile applications and platforms by identifying vulnerabilities, performing exploitations, and recommending mitigation strategies to enhance their resilience against cyber threats. This role requires a deep understanding of web/mobile application security principles, hardware/software, advanced penetration testing techniques, and the ability to work collaboratively with cross-functional teams. Responsibilities • Lead dynamic penetration testing against hardened mobile, web/API applications to uncover vulnerabilities and leverage manual exploitation techniques, demonstrating business impact. • Deliver clear, actionable reports that include detailed findings, vulnerability scoring, and remediation guidance tailored to technical and non-technical teams. • Continuously evolve testing methodologies by researching emerging threats, tools, and techniques, applying them to improve assessment strategies and team capabilities. • Maintain a balance between hands-on testing and supporting broader team initiatives, including process optimization, tool/script development, and knowledge sharing. Requirements • Bachelor's degree in Engineering or Science, or equivalent work experience • Eight or more years of experience in information security • Two or more years of experience in IT infrastructure management, application architecture, risk management, data architecture, middleware technology, IT operations and project management • Mobile Application Security: Familiarity with Android and iOS testing methodologies and platform-specific risks, including OWASP MASVS and MASTG. • Technical Proficiency: Strong scripting skills (Python, PowerShell, Bash, Ruby, Go). Solid grasp of HTTP/S, authentication protocols (OAuth, SAML, JWT), and network fundamentals (TCP/IP, DNS, firewalls, IDS/IPS). • Web & API Penetration Testing: 5+ years of hands-on experience with modern web applications and APIs. Deep understanding of OWASP Top 10, API Security Top 10, and SANS Top 25 vulnerabilities. • Cloud & Platform Fluency: Comfortable testing in cloud environments (AWS, Azure, containers/Kubernetes). Experienced across Linux, Windows, and macOS platforms. Familiarity with cloud-native security and assessment tools (e.g., AWS Inspector, Azure Defender, ScoutSuite,) and common misconfiguration exploitation techniques. • Manual Testing & Exploitation: Advanced proficiency in identifying and exploiting vulnerabilities in web apps and APIs using tools like Burp Suite Pro, Postman/Insomnia, and custom scripts; skilled in uncovering business logic flaws, access control issues, and chaining exploits to demonstrate real-world impact. • Tooling & Automation: Experience developing custom tools and scripts to automate testing workflows. Familiarity with tools such as Nmap, Metasploit, and Kali Linux. • Threat Modeling & Risk Assessment: Ability to perform threat modeling and risk assessments to prioritize testing efforts and communicate business impact. • Regulatory & Compliance Awareness: Understanding of compliance frameworks such as PCI-DSS, HIPAA, NIST 800-53, ISO 27001, and FedRAMP. Nice-to-haves • Communication & Documentation: Excellent written and verbal communication skills. Experienced in technical writing and clearly articulating findings to both technical and non-technical audiences, including executive leadership. • Leadership & Mentorship: Proven ability to lead engagements, manage stakeholder expectations, and mentor junior testers. • Certifications: OSWE, OSEP, OSCP, GWAPT, GPEN, GMOB, OSWA, or equivalent. • Additional Experience: Source code review, ServiceNow Application Vulnerability Response, and understanding of change control and security architecture. Benefits • Healthcare (medical, dental, vision) • Basic term and optional term life insurance • Short-term and long-term disability • Pregnancy disability and parental leave • 401(k) and employer-funded retirement plan • Paid vacation (from two to five weeks depending on salary grade and tenure) • Up to 11 paid holiday opportunities • Adoption assistance • Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law Apply tot his job