Role : Senior Penetration Tester
Location: Hybrid, 3 days onsite - 7701 Legacy Drive, Plano, TX, 75024
Job Description: Within the Cyber Fusion Center, the Offensive Security Team continuously evaluates PepsiCo’s cyber security posture through penetration tests and red team engagements to proactively identify gaps and drive mitigations to minimize PepsiCo's cyber risk exposure.
Responsibilities
- Conduct web application and API penetration tests as the primary focus, applying deep manual testing techniques beyond automated scanning
- Assess and articulate the true business and financial impact of discovered vulnerabilities — going beyond CVSS scores to communicate real-world risk to stakeholders
- Triage, validate, and contextualize vulnerability reports — particularly in environments where reporter incentives may not align with actual organizational risk (e.g., bug bounty program submissions)
- Drive all phases of penetration test engagements including:
- Scoping & planning
- Reconnaissance
- Vulnerability identification & exploitation
- Reporting & remediation recommendations
- Performi manual testing and identifying vulnerabilities such as Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection, privilege escalations, authentication weaknesses, access control weaknesses, use of insecure cryptographic protocols, security misconfigurations.
- Develop in-depth, business-contextualized reports that clearly communicate issue severity, impact, and actionable remediation steps to both technical and non-technical audiences
- Develop tools, scripts, and techniques to automate and scale vulnerability discovery and offensive capabilities
- Support offensive security research across emerging attack surfaces including AI, LLMs, ML, NLP, and Smart Contracts
- Contribute to and publish security research, write-ups, and findings that advance the broader security community
- Mentor penetration testers and other security team members to drive holistic outcomes
- Manage third-party penetration test engagements to ensure quality deliverables
- Establish and mature team documentation, processes, procedures, and KPIs
Must Have Skills and Experience
- 5+ years of hands-on experience in a technical security role with a strong emphasis on web application penetration testing and AppSec
- Skilled in performing penetration tests on web APIs and mobile apps before release.
- Experience conducting manual API and mobile PenTest using burp suite.
- Proficient in understanding application-level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
- Advanced knowledge of security tools (Burp Suite, Metasploit, Cobalt Strike, Empire, Nmap, etc.) and multiple operating systems (e.g. Windows, Linux).
- Deep proficiency with Burp Suite — including manual testing workflows, extensions, and custom configurations
- Strong ability to assess and communicate actual business impact of vulnerabilities, distinguishing between reported severity and true organizational risk
- Experience across multiple security domains including Application Security, Cloud Security, and Security Operations
- Proficiency in at least one scripting or programming language: Python, Bash, PowerShell, Java, C#, or C++
- Familiarity with defensive technologies: IPS/IDS, WAF, SIEM, EDR, UEBA
Preferred Qualifications
- Experience aligning offensive security findings to frameworks and control objectives: MITRE ATT&CK, NIST CSF, OWASP, ISO 27001, CIS
- Familiarity with defensive and monitoring technologies such as Intrusion prevention/detection systems (IPS/IDS), Web application firewalls (WAF), security information and event management systems (SIEMs), and endpoint detection/response (EDR) tools, as well as user and entity behavior analytics (UEBA).
- Published security research — blog posts, CVEs, disclosed vulnerability write-ups, conference talks, or open-source contributions with your name attached
- Certifications in web penetration testing such as BSCP (Burp Suite Certified Practitioner), OSWE, SANS GWAPT, HackTheBox CBBH
