Penetration Tester

Job Description
Tharros has an immediate opportunity to support the US Navy with operational test and evaluation support. The Penetration Tester will assist in the development of cyber test plans, execute cyber tests, and report cyber test results. In this role you will conduct cyber tests on operational systems, in laboratory environments, or in cyber range environments. Testing may be against physical, virtualized, or cloud-based systems. This position shall leverage all authorized resources and analytic techniques to penetrate/access targeted networks and systems under test in support of OPTEVFOR's cyber OT&E mission. Team member will perform these duties under the supervision of the 01D Cyber Operations Officer.

• Review and become proficient in OPTEVFOR cyber T&E concept of operations, SOPs, policies and guidance.
• Maintain and participate in the development of 01D SOPs and documentation for DCAT authorization established in DoDI 8585.01.
• Research, review, prioritize, and submit operational requirements for acquisition of equipment or cyber capabilities, following the 01D tool approval process.
• Support development and execution of TTPs for penetration testing or Red Teaming.
• Research adversary cyber actors' TTPs, organizational structures, capabilities, personas, and environments, and integrate findings into cyber survivability test planning and execution.
• Participate in OPTEVFOR Cyber Test planning:
  
  • Conduct open-source research and system under test documentation review to familiarize with the system's mission, architecture and interfaces including critical components to identify its attack surface and threat vectors
  • Participate in check point meetings
  • Support development of test plan objectives
  • Review test plans, ensuring that test plans objectives are feasible
  • Participate in test planning site visits
• Participate in test preparation:
  
  • Participate in site pre-test coordination visits. Support in-brief to the test site.
  • Support red team test plan review
  • Add relevant system technical information to test reference library
  • Organize and support research presentations for advanced capability development in support of future tests
  • Prepare OPTEV-RT test assets (Government Furnished)
• Execute test events, including Cooperative Vulnerability Penetration Assessments, Adversarial assessments, and Cyber Tabletops, in support of Operational Testing, Developmental Testing, risk reduction events, or other events, as assigned.
  
  • Use OPTEVFOR provided and NAO approved commercial and open-source network cyber assessment tools (e.g. Core Impact, Nmap, Burp, Metasploit, and Nessus).
  • Employee ethical hacking knowledge to exploit discovered vulnerabilities and misconfigurations associated with but not limited to operating systems (Windows, Linux, etc.), protocols (HTTP, FTP, etc.), and network security services (PKI, HTTPS, etc.) to accomplish test objectives
  • Be able to accomplish testing independently
  • Ensure tests are conducted safely, in accordance with the test plan, and OPTEVFOR policies are adhered to
  • Follow Joint Forces Headquarters (JFHQ)-DODIN deconfliction procedures
  • Verify collected data for accuracy and completeness
• Participate in the post-test iterative process, including generation of documents (e.g. deficiency/risk sheets).
• Document lessons learned.
• Participate in capture the flag events, cyber off sites, external engagements such as red team huddles and red team technical exchange meetings; develop required products and materials in support of these events.
• Attend OPTEVFOR required meetings in support of OT&E.
• Generate and update documentation to maintain DCAT authorization compliance per DoDI 8585.0.
• Process exfiltrated data for analysis and/or dissemination to customers.
• Test and evaluate locally developed tools for operational use and implementation.

Requirements

• Minimum 3 years' experience performing any combination of: penetration testing, red teaming, or exploitation development.
• Minimum 3 years' with proficiency in leading red team operators in penetration testing/red teaming to accomplish assigned test objectives.
• Offensive Security Certified Professional (OSCP) or equivalent certification.
• Proficient in multiple offensive tools, including:
  
  • Metasploit, Cobalt Strike, Core Impact, Burp Suite, Nessus, SharpHoundBloodHound
    
• Ability to validate functionality and safety of offensive tools (e.g. exploits) given the source code and document the results.
• Ability to detect malicious activity of a program using dynamic analysis techniques and document the results.
  
• Independently operate to conduct penetration testing/red teaming to accomplish assigned test objectives.
• Skill in assessing current tools to identify needed improvements.
• Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
• Knowledge of current software and methodologies for active defense and system hardening.
• Knowledge of encryption algorithms and cyber capabilities/tools (e.g., Transport Layer Security, Pretty Good Privacy).
• Knowledge of evasion strategies and techniques.
• Knowledge of forensic implications of operating system structure and operations.
• Knowledge of host-based security products and how they affect exploitation and vulnerability.
• Knowledge of network administration.
• Knowledge of network construction and topology.
• Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
• Knowledge of security implications of software configurations.
• Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.
• Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.
• Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
• Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.
• Process exfiltrated data for analysis and/or dissemination to customers.
• Test and evaluate locally developed tools for operational use.
• Skill in testing and evaluating tools for implementation.
• Proficient in Microsoft Office Suite to include Teams or similar workplace chat and videoconferencing tools.
• Excellent written and verbal communication skills.

Summary
Tharros combines extensive cyber defense knowledge with the world's preeminent vulnerability expertise to identify and defend against attacks before they become problems. Working at mission speed, we harden mission systems faster and secure them for longer, so agencies never lose the mission edge. Tharros lifts the veil of enterprise cybersecurity to detect zero days before they affect you, enabling mission maneuverability and the confidence to move missions forward.

In the ever-evolving realm of cyberspace, we are dedicated to becoming the paramount defender in the 5th warfighting domain. By pioneering innovative security solutions and fostering an environment of continuous learning and vigilance, we aim to protect the interests of our nation's security. Our commitment to excellence in cybersecurity will establish new benchmarks, transforming the digital landscape into a secure and thriving frontier for future generations.

Tharros. See Everything. Secure Anything.

Tharros is committed to hiring and retaining a diverse workforce. We are proud to be an Equal Opportunity/Affirmative Action Employer and make employment decisions without regard to race, color, religion, creed, sex, sexual orientation, gender identity, marital status, national origin, age, veteran status, disability, or any other protected status.