Penetration Tester

Description

Dragonfli Group is a cybersecurity and IT consulting firm providing services to federal agencies and Fortune 100 enterprises. Headquartered in Washington, DC, Dragonfli supports clients in securing mission-critical systems across on-site, hybrid, and fully remote environments.

Role Summary

As a Penetration Tester, you will be responsible for evaluating the security of a large federal agency’s applications, networks, cloud environments, and supporting infrastructure. This role focuses on hands-on manual testing and controlled exploitation to identify and help remediate vulnerabilities. The ideal candidate will possess at least 3–5 years of experience in offensive security, with a deep proficiency in manual application testing and vulnerability validation across on-prem and cloud assets.

This is a multi-year contract position involving a large US federal agency. Candidates with previous federal contracting experience are preferred. U.S. Citizenship or Permanent Residency is required. If hired, all work related to this role must be performed within the continental U.S.

Key Responsibilities

• Engagement Scoping & Planning: Partner with stakeholders to define objectives, rules of engagement, and success criteria to ensure safe execution.
• Reconnaissance & Enumeration: Perform passive and active discovery of attack surfaces, services, and APIs to map trust boundaries.
• Manual Application Testing: Conduct deep testing of web and mobile apps aligned with OWASP Top 10 and common design flaws.
• Vulnerability Validation: Safely verify findings such as XSS, SQLi, CSRF, SSRF, and broken access control to demonstrate real-world impact.
• Network & Infrastructure Testing: Identify weaknesses in exposed services, insecure protocols, and misconfigurations across hybrid environments.
• Post-Exploitation Analysis: Assess blast radius, lateral movement paths, and persistence risks while minimizing operational impact.
• Reporting & Remediation: Deliver clear technical reports with reproduction steps and prioritized fixes for both engineers and leadership.

Requirements

Must-Have Qualifications

• Strong understanding of web application security and modern attack techniques.
• Demonstrated ability to distinguish false positives from exploitable issues.
• Proven experience documenting evidence and providing pragmatic remediation guidance.
• Ability to operate within strict rules of engagement and ethical safety constraints.
• U.S. Citizenship or Permanent Residency (Green Card).

Desired/Preferred Qualifications

• Previous experience supporting federal contracting environments.
• Experience with mobile (Android/iOS) or cloud penetration testing (AWS/Azure/GCP).
• Experience with CI/CD and supply chain security testing.
• Familiarity with modern app architectures like microservices and containers.

Skill(s)

• Offensive Tools: Burp Suite, Nmap, Metasploit.
• Scripting/Automation: Python, PowerShell, or Bash for lightweight proof-of-concepts.
• Security Frameworks: OWASP Top 10, OWASP ASVS.
• Authentication Patterns: OAuth 2.0, OpenID Connect, SAML.
• API Paradigms: REST, GraphQL.Relevant Certifications: OSCP, GWAPT, GPEN, PNPT (or equivalent).

Benefits

• Insurance - health, dental, and vision
• Paid Time Off (PTO) and 11 Federal Holidays
• 401(k) employer match