Manual Application Penetration Tester (Web & API)

Job Title: Manual Application Penetration Tester (Web & API) Contract Type: Contract Role Overview We are seeking experienced Manual Application Penetration Testers to perform in-depth security testing of web applications, APIs, and mobile applications. This role requires hands-on, offensive security expertise with a strong focus on manual exploitation, business logic testing, and real-world attack simulation. The ideal candidate can independently execute penetration testing engagements, clearly articulate findings to both technical and non-technical audiences, and guide remediation efforts. Key Responsibilities • Perform manual application penetration testing of: • Web applications • REST & SOAP APIs • Mobile applications (iOS/Android – nice to have) • Thick client applications (where applicable) • Conduct business logic testing, threat modeling, and application architecture reviews • Identify and exploit vulnerabilities including (but not limited to): • IDOR / BOLA • Authentication & authorization flaws • Session management issues • Injection flaws (SQLi, XSS, XXE, etc.) • Logic flaws missed by automated scanners • Perform objective-based and abstract penetration testing engagements • Develop and demonstrate proof-of-concept (PoC) exploits • Use Burp Suite Pro extensively for manual testing (Repeater, Intruder, Decoder, etc.) • Present findings via live demos, written reports, and client readouts • Clearly communicate risks, impact, and remediation guidance • Work independently with minimal oversight while meeting delivery timelines Required Qualifications • 5+ years of recent experience in manual application penetration testing • Strong experience testing: • Web applications • APIs (REST / SOAP) • Hands-on expertise with Burp Suite Pro • Proven ability to perform manual exploitation (not scanner-only testing) • Experience communicating results to both technical and non-technical stakeholders • Ability to lead remediation discussions and retesting efforts • Bachelor’s degree in Computer Science, Engineering, or equivalent industry experience Preferred Qualifications • Mobile application penetration testing (iOS / Android) • Experience with tools such as: • Netsparker • OWASP ZAP • Postman / SoapUI • Experience with OAuth, JWT, and modern authentication mechanisms • Ethical hacking certifications (preferred, not required): • GWAPT • OSWE • OSWA • CREST Nice-to-Have Experience • Threat modeling frameworks (STRIDE, PASTA, etc.) • Secure SDLC / DevSecOps exposure • Client-facing consulting or enterprise security engagements Apply tot his job Apply To this Job