ISC2
Security Engineer, Penetration Testing

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Overview
Your Future. Secured. ISC2 is a force for good. As the world’s leading nonprofit member organization for cybersecurity professionals, our core values — Integrity, Advocacy, Commitment, Inclusion, and Excellence — drive everything we do in support of our vision of a safe and secure cyber world. Our globally recognized, award-winning portfolio of certifications provide an independent and globally recognized endorsement of cybersecurity knowledge, skills and experience for all career levels. Our charitable arm, the Center for Cyber Safety and Education, enables ISC2 and our members to serve the public by educating the most vulnerable about cyber risks and empowering access to enter and thrive in the cyber profession. Learn more at ISC2 online and connect with us on Twitter, Facebook and LinkedIn. When you join ISC2, you’ll demonstrate your commitment to an inclusive and equitable environment. Your support of the unique perspectives and experiences shared by our global cybersecurity workforce and profession will be recognized. We invite you to take an active role in helping us create a true sense of belonging across our organization — an environment of authenticity, trust, empowerment and connectedness that empowers all of our successes. Learn more.
Position Summary
The Security Engineer, Penetration Testing is a dual-function role responsible for both executing offensive security assessments and building the defensive engineering controls that harden ISC2’s environment. The role leads authorized penetration testing across ISC2’s applications, networks, and cloud infrastructure while also owning security engineering work — including security architecture review, tooling, automation, and control implementation — that translates findings into lasting improvements. This position works closely with the Security and Technical Operations team and collaborates across IT, engineering, and product to continuously strengthen ISC2’s security posture. The role plays a critical part in supporting ISC2’s ISO/IEC 27001:2022 ISMS program, providing both evidence of technical control effectiveness and direct input into risk treatment.
Responsibilities
Penetration Testing
- Plan, execute, and document internal and external penetration tests against ISC2 applications, networks, cloud environments, and infrastructure.
- Perform vulnerability assessments and validate findings to distinguish genuine risks from false positives.
- Conduct web application, API, mobile, and network vulnerability assessments using industry-standard methodologies (OWASP, PTES, OSSTMM).
- Perform social engineering assessments, including phishing simulations and physical security testing as authorized.
- Produce clear, actionable written reports detailing findings, risk ratings, evidence, and remediation recommendations tailored to both technical and executive audiences.
- Support red team exercises and adversary simulation activities to test detection and response capabilities.
- Develop and maintain the penetration testing program, including scope definitions, rules of engagement, and testing schedules. Move towards a continuous test mindset and method.
- Coordinate with third-party security vendors for external assessments and bug bounty program management where applicable.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Security Engineering
- Own remediation follow-through: translate pen test findings into security engineering work items, validate fixes, and track resolution to closure in Jira Service Management.
- Design and implement security controls across ISC2’s cloud and on-premises environments, including hardening configurations for Azure, Okta, SentinelOne, CheckPoint, and F5 XD.
- Participate in security architecture and design reviews for new systems, integrations, and third-party products; provide security requirements and risk acceptance recommendations.
- Develop and maintain security automation scripts and tooling to improve detection coverage, reduce manual effort in assessment workflows, and support continuous monitoring.
- Support the Secure Software Development Lifecycle (SSDLC), including security requirements definition, code review support, and pre-deployment security validation.
- Maintain awareness of emerging vulnerabilities, exploits, and threat actor TTPs; operationalize threat intelligence into actionable hardening and detection improvements.
- Support ISC2’s ISO/IEC 27001:2022 ISMS by providing technical evidence and input for Annex A controls spanning vulnerability management (A.8.8), secure development (A.8.25–A.8.29), and technical review (A.8.29).
- Miscellaneous duties as assigned.
Behavioral Competencies
- Integrity & Ethics: Operates with the highest standard of professional ethics; treats privileged access, sensitive findings, and organizational data with strict confidentiality.
- Analytical Thinking: Applies a structured, adversarial mindset to both offensive assessments and defensive design; bridges exploit research with practical engineering solutions.
- Communication: Clearly articulates complex technical vulnerabilities and risk in written reports and verbal briefings to both technical and non-technical stakeholders.
- Collaboration: Partners effectively with developers, architects, and operations staff to drive meaningful security improvements without disrupting business operations.
- Continuous Learning: Actively pursues knowledge of emerging threats, tools, and techniques; contributes insights to team knowledge sharing.
Qualifications
- Proficiency with penetration testing tools including Burp Suite, Metasploit, Nmap, Nessus, Cobalt Strike, and similar offensive frameworks.
- Strong understanding of web application vulnerabilities (OWASP Top 10), network protocols, Active Directory attack paths, and cloud security (Azure, AWS, GCP).
- Effective written and verbal communication with cross-functional teams is essential.
- Scripting and automation proficiency in Python, Bash, or PowerShell; ability to write or modify exploit code as well as defensive tooling.
- Familiarity with MITRE ATT&CK, CVSS, CVE, NIST SP 800-115, and the CIS Benchmarks for secure configuration baselines.
- Possess AI literacy and ability to test AI workloads and infrastructures.
- Relevant certifications strongly preferred: OSCP, GPEN or GWAPT, plus one engineering/architecture credential (CISSP, CSSLP, or equivalent).
- ISC2 membership or certifications (CISSP, CC) are a plus and demonstrate alignment with ISC2’s mission.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Education and Work Experience
- Bachelor's degree in Computer Science, Information Security, Cybersecurity, or related field. Will consider candidates with a high school diploma or regional equivalent and at least eight (8) years of experience in cybersecurity.
- 4+ years of experience in cybersecurity, with a demonstrable mix of offensive security (penetration testing) and defensive/engineering work (control implementation, architecture review, or SSDLC).
- Experience with IAM security, including Okta and SAML/OAuth-based environments, both for testing and hardening purposes.
- Security engineering experience implementing and hardening controls across cloud and identity platforms (Azure, Okta, SentinelOne, endpoint security tooling).
- Experience supporting ISO/IEC 27001, SOC 2, PCI-DSS, or similar compliance programs is a plus.
Physical and Mental Demands
- Ability to travel up to 5% of the time.
- Work normal business hours and extended hours when necessary.
- Remain in a stationary position, often standing or sitting, for prolonged periods.
- The role requires the ability to work at a computer for extended periods and communicate effectively through written and verbal channels.
- Regular use of office equipment such as a computer/laptop and monitor computer screens.
- Dexterity of hands and fingers to operate a computer keyboard, mouse, and other computer components.
Total Rewards
The pay range for this position is £50,550 - £64,729/Yr.
Final pay is based on several factors including but not limited to internal equity, market data, and the applicant’s education, work experience, certifications, etc.
Information regarding our comprehensive benefits package is available here.
This position will be posted for a minimum of 5 calendar days. This is a current vacancy, and the employer intends to fill this position within approximately 30 days.
Equal Employment Opportunity Statement
All qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic as protected by applicable law. Job candidates will not be obligated to disclose sealed or expunged records of conviction or arrest as part of the hiring process.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location