Senior Penetration Tester

We invite a Senior Penetration Tester to join our team. It's an office-based role – no remote or hybrid options.

This role involves leading end-to-end penetration testing engagements and performing security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices. You will also be responsible for discovering and exploiting vulnerabilities across real-money flows and partnering with various teams to translate findings into concrete fixes.

• Lead end-to-end penetration testing engagements across web applications, APIs, mobile, internal and external networks and cloud (primarily AWS).
• Run red-team and assumed-breach operations - initial access, privilege escalation, lateral movement, persistence, exfiltration - including against fraud and detection stacks.
• Perform security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices.
• Discover and exploit vulnerabilities across real-money flows - payments, deposits and withdrawals, wallets, KYC / AML, bonus systems, and affiliate tracking.
• Partner with product, engineering, AppSec, payments, and fraud teams to translate findings into concrete fixes and durable controls.
• Develop custom tooling, scripts, and methodology where no out-of-the-box approach exists.
• Build and validate declarative threat models and contribute to "secure by design" practice.
• Mentor mid and junior testers, review their engagement plans and reports.
• Track new CVEs, TTPs, MITRE ATT&CK updates, and regulator advisories - translate them into concrete changes here.
• Support pre-sales scoping, effort estimation, and pre-certification engagements for new products and jurisdictions.
• Serve as a trusted offensive-security advisor to product, engineering, and compliance teams.

• Minimum 4 years of hands-on penetration testing or offensive-security experience.
• Proven track record across at least three of: web / API, internal, external network, cloud (AWS / GCP), mobile (iOS / Android).
• OSCP or an equivalent in-the-box certification.
• Strong working knowledge of SAST/SCA/DAST tooling, AWS/GCP, MITRE ATT&CK, OWASP ASVS / WSTG, PTES.
• Understanding of the data flow, MVC model.
• Understanding of supply chain attacks.
• Good reporting skills.
• Comfortable scripting in Python plus Bash.
• Knowledge at least one of major cloud provider's IAM model.
• Experience pentesting cloud-native systems and Kubernetes environments, plus the CI/CD pipelines around them (GitLab, GitHub Actions, Jenkins) and IaC (Terraform, Helm, CloudFormation).
• Strong written and verbal communication in English .
• Experience balancing security and business demands under release pressure.
• Familiarity with industry regulations, frameworks, and practices: PCI DSS, ISO 27001, NIST, GDPR .

• Career growth opportunities in an international and dynamic environment;
• Opportunity to develop language skills with partial compensation for language courses;
• Special gifts for birthdays, weddings, and newborns;
• 20 working days of paid annual vacation, plus 6 paid sick leave;
• Office snacks and refreshments;
• Sports package to support a healthy lifestyle;
• Comprehensive medical insurance for you and your partner;
• Comfortable office with great facilities in a prime location;
• Exciting corporate events, team-building activities, and international company parties.