Lead Penetration Testing Engineer

**Job Description Summary**The financial services industry sits squarely in the crosshairs of today’s most capable threat actors from nation states to highly organized criminal enterprises. Our internal cybersecurity organization operates where theory meets reality, continuously pressure testing defenses, exposing risk before attackers do, and raising the bar for enterprise security. As a Lead Penetration Testing Engineer, you will lead and execute penetration testing engagements across web and mobile applications, internal and external networks, and other in-scope environments, taking ownership from planning through execution, technical debriefs with stakeholders and verifying remediation success. You will coordinate penetration tests, including red team and purple team exercises, working side by side with elite third-party testing partners as well as internal threat hunting, detection engineering, infrastructure, and security teams to turn findings into measurable security improvements. This is a hands-on role for an offensive security professional who thrives in complex environments, enjoys breaking assumptions, and wants their work to directly shape enterprise wide defense strategy.**Job Description*****This position follows our hybrid workstyle policy: Expected to be in a Raymond James office location a minimum of 10-12 days a month.******Please note: This role is not eligible for Work Visa sponsorship, either currently or in the future.*****Experience & Skills:*** 7+ years of offensive security experience as a red team operator and penetration tester across web applications, corporate networks, and infrastructure.* Strong understanding of networking fundamentals and protocols (TCP/IP, DNS, HTTP/S, TLS, SMTP, SMB, Kerberos, LDAP, etc.).* Deep familiarity with Windows and Linux, including Active Directory, authentication flows, endpoint posture, and common misconfigurations.* Proven ability to test and interact with APIs, including automation and integration validation.* Demonstrated ability to create advanced scripts, tools, and automation using PowerShell, Python, or Bash.* Strong report‐writing skills with the ability to translate technical findings into business‐aligned risk and actionable remediation.* Leadership qualities to support technical development of team members.**Tooling Expectations (Hands‐On):*** Recon & Enumeration: Nmap, Masscan, Amass, Subfinder, Nuclei, Nikto, whatweb, dnsrecon, enum4linux‐ng* Web & API Testing: OWASP ZAP, sqlmap, ffuf/gobuster, testssl.sh, JWT tooling, Burp Suite* Exploit & Post‐Exploitation: Metasploit, Impacket, BloodHound, Responder, Kerbrute, CrackMapExec/NetExec, smbclient, LDAP tooling* Passwords & Traffic: Wireshark/tshark, John the Ripper, Hashcat, Hydra**Responsibilities:*** Conduct authenticated and unauthenticated web application penetration tests on internal and third‐party applications; identify vulnerabilities aligned to OWASP Top 10/ASVS, demonstrate exploitability, and validate fixes.* Perform internal and external network penetration tests, including attack path discovery, privilege escalation, lateral movement, segmentation validation, and internet‐facing exposure reviews.* Execute targeted security testing in additional domains such as APIs, mobile applications (as applicable), cloud configuration/exposure validation, and wireless assessments.* Build and maintain repeatable testing playbooks covering reconnaissance, exploitation, post‐exploitation, evidence collection, and remediation validation.* Produce clear deliverables including executive summaries, technical reports, reproducible steps, risk ratings, and remediation guidance; brief engineers, stakeholders, and security leadership.* Partner with application and infrastructure teams to remediate findings, conduct retesting, confirm closure, and improve secure SDLC practices.* Support purple‐team activities by collaborating with detection and response teams to strengthen logging, alerting, and detection logic.* Develop and maintain testing tools, scripts, and automations in Python, PowerShell, and Bash.* Mentor junior team members to expand technical knowledge and hands‐on capabilities. • Work with third‐party testers to define scopes, oversee execution and reporting, and assign ownership of findings.**One or more of the following certifications:*** Highly Preferred: OSCP, OSWE, OSEP, OSWP, or OSEE* GIAC: GPEN, GWAPT, GXPN, or GWEB* eCPPT or PNPT* Bonus: CISSP, cloud security certifications (AWS/Azure), or other relevant credentials.**Core Competencies:*** Analysis: Identify issues, compare data, and draw defensible conclusions.* Communication: Clearly convey technical details and risk to engineers, finding owners, and leadership.* Judgment & Decision Making: Recommend appropriate actions based on available facts and constraints.* Technical Knowledge: Stay current on offensive security techniques, defenses, and industry trends.* Relationship Building: Collaborate effectively with partners to achieve security objectives.* Client Focus: Support internal teams as customers while managing firm‐wide risk.* Leadership: Share knowledge and provide mentorship through training and guidance.**Education**Bachelor’s: Computer and Information Science, High School (HS) (Required)**Work Experience**General Experience - 6 to 10 years**Certifications****Travel**Less than 25%**Workstyle**HybridAt Raymond James our associates use five guiding behaviors (Develop, Collaborate, Decide, Deliver, Improve) to deliver on the firm's core values of client-first, integrity, independence and a conservative, long-term view. We expect our associates at all levels to: • Grow professionally and inspire others to do the same • Work with and through others to achieve desired outcomes • Make prompt, pragmatic choices and act with the client in mind • Take ownership and hold themselves and others accountable for delivering results that matter • Contribute to the continuous evolution of the firmAt Raymond James – as part of our people-first culture, we honor, value, and respect the uniqueness, experiences, and backgrounds of all of our Associates. When associates bring their best authentic selves, our organization, clients, and communities thrive. The Company is an equal opportunity employer and makes all employment decisions on the basis of merit and business needs.#LI-TC1Thanks for your interest in working with Raymond James. While we might not have the perfect role for you today, we'd love to keep in touch.to stay up to date on career opportunities that may be a good fit for you.Our business is deeply focused on people and their financial well-being. We're committed to helping individuals, corporations and institutions achieve their goals, while also supporting successful professionals and helping our communities prosper. We believe doing well and doing good aren't mutually exclusive.As an established but ever-evolving company, you can start – or continue – growing your career here. We invest in you with wide-ranging benefits and the support of leaders and colleagues who care. From development opportunities and enriching networking groups to prioritizing diversity, inclusion and the power of different perspectives, Raymond James is where good people grow.Our people-first culture is outlined in our . Check it out to see why many choose to work at Raymond James – and why they stay. #J-18808-Ljbffr