Steampunk is seeking Subject Matter Expert (SME) Penetration Test Engineer to support our Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) clients. CISA leads the national effort to understand, manage, and reduce risk to critical infrastructure. CISA is charged with leading the Nation's strategic and unified work to assure the security and resilience of the nation's cyber systems, protecting the American way of life.

As a SME - Penetration Test Engineer, you will join our Cybersecurity practice supporting our federal customers. You will have and active TS clearance and 10+ years of proven experience as a Senior Security Engineer with experience assessing security implementation of cloud and hybrid environments to include Continuous Integration/ Continuous Delivery (CI/CD) pipelines, applications and services. You will have supervisory/leadership experience overseeing and guiding large teams responsible for planning, analyzing, implementing, and maintaining many different penetration testing projects.

• Leading penetration testing, developing advanced security scenarios and testing systems against those scenarios,
• Developing advanced security architectures for the implementation of custom countermeasures,
• Providing security considerations to advise system engineering teams with the objective to reduce errors, flaws, and weaknesses that may constitute security vulnerabilities,
• Performing advanced code analysis, and performing advanced protocol analysis for nation-state and state-sponsored cyber threat actor capabilities.
• Using agile best practices for scanning and end to end vulnerability remediation, assisting in all information security planning, compliance and risk management.
• Managing teams, ensuring they have appropriate skill sets, and tying the teams and results together.
• Identifying vulnerabilities and understanding and recommending countermeasures.
• Analyzing the network to determine if appropriate security is applied using knowledge of the NIST RMF.
• Developing and implementing test plans and ensuring execution.
• Evaluating the costs and benefits of security functions and considerations from analysis of alternatives, engineering trade-offs and risk treatment decisions.

• Utilizing a risk-based approach to evaluate the findings and will be responsible for writing up detailed summaries of the vulnerability and suggested remediations.
• Providing technical assessments of all layers of the enterprise stack as required by the specific application/system being tested.

• Working directly with system admin teams as well ISSOs to discuss findings and verify that their remediation efforts are adequate through following up penetration testing.

• Conducting penetration testing using approved tools and best practices.
• Creating detailed reports including the findings and suggested remediations.
• Conducting risk-based assessments based on penetration testing findings and brief the same to senior leadership.
• Reviewing and suggesting changes to ROE to ensure outcome provides desired results.
• Working with system teams and ISSOs on understanding of findings and remediation guidance.
• Managing and supporting development of pen testing SOPs.
• Designing scenarios for testing based on TTPs used by threat actors.
• Developing and implementing test plans and ensuring execution.
• Evaluating costs and benefits of security functions and considerations from analysis of alternatives.

• Active TS clearance
• 10+ years of proven experience as a Security Engineer 
• Supervisory/leadership abilities to oversee large teams responsible to planning, analyzing, implementing, and maintaining many different projects.
• BS in an IT field & 5 years of IT work OR BS in a non-IT field and 7 years of IT work
• Experience with packet analysis and with hardening and remediation.
• Experience over a variety of technologies and ability to assess security implementation of cloud and hybrid environments to include pipelines, applications, and services.
• Ability to ensure industry best practice implementation utilizing agile practices for scanning and end to end vulnerability remediation.
• Ability to assist in all information security planning, compliance and risk management, manage teams, ensure they have appropriate skill sets, and tie the teams and results together.
• Able to identify vulnerabilities and understand and recommend countermeasures.

Preferred Skills

• Experience with multiple penetration testing tools (Metasploit, nmap, burp suite, KaliLinux, etc.)
• Experience briefing to senior leadership
• Excellent written and verbal communication skills
• Performing work after-hours as testing requires
• Performing security research to remain current on emerging technology trends
• Familiarity with MITRE ATT&CK framework
• Ability to work with ISSOs to map findings to associated security controls
• Working knowledge of various enterprise technology stacks used to build applications in the cloud
• Working knowledge and experience in AWS and Azure GovClouds

Steampunk is a Change Agent in the Federal contracting industry, bringing new thinking to clients in the Homeland, Federal Civilian, Health and DoD sectors.  Through our Human-Centered delivery methodology, we are fundamentally changing the expectations our Federal clients have for true shared accountability in solving their toughest mission challenges.  As an employee owned company, we focus on investing in our employees to enable them to do the greatest work of their careers – and rewarding them for outstanding contributions to our growth. If you want to learn more about our story, visit http://www.steampunk.com.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Steampunk participates in the E-Verify program.