Job Requirements
Washington, DC
Public Trust Full Scope Polygraph
Career Level not specified
Salary not specified
Join Premium to unlock estimated salaries
Job Description
Koniag Data Solutions, LLC, a Koniag Government Services company, is seeking a Penetration Testers - Senior (Lead) to support KDS and our government customer in Washington, DC. This position requires the candidate to be able to obtain a Public Trust.
We offer competitive compensation and an extraordinary benefits package including health, dental and vision insurance, 401K with company matching, flexible spending accounts, paid holidays, three weeks paid time off, and more.
Koniag Data Solutions, a Koniag Government Services company, is seeking an experienced Senior Lead Penetration Tester to support the U.S. Small Business Administration (SBA). The ideal candidate is a highly skilled offensive security professional with extensive experience planning, leading, and executing advanced penetration testing and red team operations across complex federal IT environments. This individual will serve as the technical lead for SBA's penetration testing program, providing expert guidance on adversary simulation, vulnerability exploitation, and security control validation to help the agency identify and remediate security weaknesses before they can be exploited by real-world adversaries.
The Senior Lead Penetration Tester will serve as the primary technical lead for all penetration testing and offensive security activities supporting SBA's cybersecurity program, overseeing the full lifecycle of penetration testing engagements, red team operations, and adversary simulation exercises across SBA's enterprise environment. This individual will bring deep technical expertise, strong leadership capabilities, and a comprehensive understanding of adversary TTPs to drive a high-quality, mission-focused penetration testing program that meaningfully strengthens SBA's security posture.
Principal responsibilities will include but are not limited to:
Education and Experience:
Required:
Desired:
Required Skills and Competencies:
Desired Skills and Competencies:
Our Equal Employment Opportunity Policy
The company is an equal opportunity employer. The company shall not discriminate against any employee or applicant because of race, color, religion, creed, ethnicity, sex, sexual orientation, gender or gender identity (except where gender is a bona fide occupational qualification), national origin or ancestry, age, disability, citizenship, military/veteran status, marital status, genetic information or any other characteristic protected by applicable federal, state, or local law. We are committed to equal employment opportunity in all decisions related to employment, promotion, wages, benefits, and all other privileges, terms, and conditions of employment.
The company is dedicated to seeking all qualified applicants. If you require an accommodation to navigate or apply for a position on our website, please get in touch with Heaven Wood via e-mail at accommodations@koniag-gs.com or by calling 703-488-9377 to request accommodations.
Koniag Government Services (KGS) is an Alaska Native Owned corporation supporting the values and traditions of our native communities through an agile employee and corporate culture that delivers Enterprise Solutions, Professional Services and Operational Management to Federal Government Agencies. As a wholly owned subsidiary of Koniag, we apply our proven commercial solutions to a deep knowledge of Defense and Civilian missions to provide forward leaning technical, professional, and operational solutions. KGS enables successful mission outcomes for our customers through solution-oriented business partnerships and a commitment to exceptional service delivery. We ensure long-term success with a continuous improvement approach while balancing the collective interests of our customers, employees, and native communities. For more information, please visit www.koniag-gs.com.
Equal Opportunity Employer/Veterans/Disabled. Shareholder Preference in accordance with Public Law 88-352
We offer competitive compensation and an extraordinary benefits package including health, dental and vision insurance, 401K with company matching, flexible spending accounts, paid holidays, three weeks paid time off, and more.
Koniag Data Solutions, a Koniag Government Services company, is seeking an experienced Senior Lead Penetration Tester to support the U.S. Small Business Administration (SBA). The ideal candidate is a highly skilled offensive security professional with extensive experience planning, leading, and executing advanced penetration testing and red team operations across complex federal IT environments. This individual will serve as the technical lead for SBA's penetration testing program, providing expert guidance on adversary simulation, vulnerability exploitation, and security control validation to help the agency identify and remediate security weaknesses before they can be exploited by real-world adversaries.
The Senior Lead Penetration Tester will serve as the primary technical lead for all penetration testing and offensive security activities supporting SBA's cybersecurity program, overseeing the full lifecycle of penetration testing engagements, red team operations, and adversary simulation exercises across SBA's enterprise environment. This individual will bring deep technical expertise, strong leadership capabilities, and a comprehensive understanding of adversary TTPs to drive a high-quality, mission-focused penetration testing program that meaningfully strengthens SBA's security posture.
Principal responsibilities will include but are not limited to:
- Lead the end-to-end planning, scoping, coordination, execution, and reporting of advanced penetration testing engagements across all components of SBA's enterprise IT environment, including network infrastructure, web applications, mobile applications, APIs, cloud environments, and supporting systems and services.
- Design and execute sophisticated red team operations and adversary simulation exercises that realistically emulate the tactics, techniques, and procedures (TTPs) of advanced persistent threat (APT) actors, nation-state adversaries, and other sophisticated threat actors known to target federal civilian agencies.
- Conduct advanced exploitation of vulnerabilities identified during penetration testing engagements, including privilege escalation, lateral movement, persistence establishment, credential harvesting, and data exfiltration, to accurately demonstrate the real-world impact and exploitability of identified security weaknesses.
- Develop and maintain a comprehensive, documented penetration testing methodology, program charter, and rules of engagement (ROE) for SBA's penetration testing program, ensuring alignment with industry best practices and federal security requirements including NIST SP 800-115 and applicable CISA guidance.
- Produce detailed, high-quality penetration test reports and executive-level briefings documenting engagement scope, methodologies, technical findings, exploitation evidence, risk ratings, attack narratives, and prioritized, actionable remediation recommendations tailored to both technical and non-technical SBA audiences.
- Collaborate with SBA security leadership, the Cybersecurity Architect, SOC teams, and system owners to communicate penetration testing findings, validate remediation efforts through retesting activities, and provide expert guidance on the prioritization and resolution of identified vulnerabilities and security control gaps.
- Conduct web application penetration testing in accordance with industry frameworks and standards including the OWASP Testing Guide and OWASP API Security Top 10, identifying and exploiting vulnerabilities including injection flaws, broken authentication, cross-site scripting (XSS), insecure direct object references (IDOR), business logic flaws, and other advanced application security vulnerabilities.
- Perform cloud penetration testing and security configuration assessments across AWS, Azure, and/or GCP environments, evaluating the security of cloud service configurations, IAM policies, storage services, network controls, serverless functions, and container environments.
- Develop and utilize custom exploitation tools, offensive scripts, and proof-of-concept (PoC) code to demonstrate the exploitability of identified vulnerabilities and support penetration testing operations in scenarios where commercial tools are insufficient or inappropriate.
- Lead social engineering assessments, including phishing and spear-phishing campaigns, vishing exercises, and physical penetration testing activities, to evaluate SBA's human and physical security controls and the effectiveness of the agency's security awareness program.
- Support and validate vulnerability management activities by providing expert-level analysis of vulnerability scan results, assessing real-world exploitability and risk in the context of SBA's environment, and advising on remediation prioritization strategies based on actual exploitation risk.
- Stay current with the latest offensive security research, vulnerability disclosures, exploit development techniques, and adversary TTPs, continuously applying new knowledge to improve the quality, realism, and effectiveness of SBA's penetration testing program.
- Mentor and provide senior technical leadership to junior and mid-level penetration testers, fostering professional growth, knowledge transfer, and the continuous development of the offensive security team's technical capabilities.
- Ensure all penetration testing and offensive security activities are conducted in strict compliance with SBA's approved rules of engagement, applicable federal laws and regulations, and the ethical standards governing offensive security research and testing.
- Coordinate and lead purple team exercises in collaboration with SBA's blue team, SOC, and incident response teams, designing realistic attack scenarios to validate detection and response capabilities and drive measurable improvements in SBA's defensive posture.
Education and Experience:
Required:
- Bachelor's degree in Cybersecurity, Computer Science, Information Technology, or a related field from an accredited college or university.
- 8+ years of progressive experience in offensive security, with at least 4 years of dedicated experience leading and executing advanced penetration testing and red team operations in a senior or lead capacity.
- Demonstrated experience conducting advanced penetration testing and red team operations within a federal government or large enterprise IT environment.
- One or more of the following certifications:
- Offensive Security Certified Professional (OSCP)
- Offensive Security Experienced Penetration Tester (OSEP)
- Offensive Security Web Expert (OSWE)
- GIAC Penetration Tester (GPEN)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- Certified Penetration Testing Engineer (CPTE)
- Certified Red Team Professional (CRTP)
Desired:
- Master's degree in Cybersecurity, Computer Science, or a related field.
- 10+ years of offensive security experience, with a strong background supporting federal government or defense contracting penetration testing and red team programs.
Required Skills and Competencies:
- Exceptional communication skills in English - both written and oral - with the ability to clearly articulate complex offensive security findings, exploitation narratives, and remediation recommendations to both technical and non-technical audiences, including senior SBA leadership and government contracting officials.
- Advanced expertise in penetration testing methodologies and industry frameworks, including PTES, OWASP, NIST SP 800-115, and MITRE ATT&CK, with demonstrated ability to apply these frameworks across diverse target environments, assessment types, and engagement scopes.
- Deep proficiency in network penetration testing, including all phases of the engagement lifecycle: reconnaissance, scanning and enumeration, exploitation, privilege escalation, lateral movement, persistence, and post-exploitation techniques across both Windows and Linux environments.
- Advanced experience in web application and API penetration testing, including the identification and exploitation of OWASP Top 10 and beyond vulnerabilities in modern web application architectures, RESTful and SOAP APIs, and web services.
- Strong hands-on experience with industry-standard penetration testing tools and offensive security platforms, including Metasploit Framework, Burp Suite Professional, Cobalt Strike, BloodHound, Mimikatz, Impacket, Nmap, Nessus, Nikto, SQLMap, Responder, and equivalent utilities.
- Proficiency in scripting and programming languages, including Python, PowerShell, Bash, and/or Ruby, for the development of custom exploitation tools, offensive automation scripts, and proof-of-concept code tailored to specific penetration testing objectives.
- Experience planning, designing, and executing full-scope red team operations and adversary simulation exercises, including the realistic emulation of APT TTPs using the MITRE ATT&CK framework to comprehensively assess the effectiveness of SBA's defensive controls and detection capabilities.
- Demonstrated expertise in cloud penetration testing across AWS, Azure, and/or GCP environments, including the assessment of cloud-native services, IAM misconfigurations, storage security, network controls, serverless functions, and container and Kubernetes environments.
- Experience planning and conducting social engineering assessments, including phishing campaign design and execution, vishing exercises, and physical penetration testing activities, with the ability to document findings and provide actionable awareness and control improvement recommendations.
- Strong knowledge of Active Directory architecture and common Active Directory attack techniques, including Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, Golden Ticket, and Silver Ticket attacks, and the tools and methods used to execute and defend against these techniques.
- Ability to produce high-quality, comprehensive penetration test reports and executive-level briefings that clearly communicate engagement scope, methodology, technical findings, exploitation evidence, risk ratings, and prioritized remediation recommendations.
- Knowledge of federal cybersecurity frameworks and compliance requirements, including NIST SP 800-53, NIST SP 800-115, FISMA, and applicable CISA guidance, and their relationship to offensive security and penetration testing activities within a federal civilian agency environment.
- Ability to obtain and maintain a Public Trust Clearance.
Desired Skills and Competencies:
- Prior experience supporting SBA or other federal civilian agency penetration testing or red team programs, with demonstrated knowledge of SBA's IT environment, system portfolio, and applicable security requirements.
- Experience conducting hardware and firmware penetration testing, including the assessment of IoT devices, embedded systems, network appliances, and physical access control systems.
- Familiarity with mobile application penetration testing for iOS and Android platforms, including the identification and exploitation of mobile-specific vulnerabilities and insecure data storage practices.
- Experience with advanced exploit development and vulnerability research, including binary exploitation techniques, reverse engineering of compiled code, and the development of custom shellcode or exploits targeting identified vulnerabilities.
- Knowledge of operational security (OPSEC) principles and their application in red team and adversary simulation operations to realistically emulate threat actor behaviors and evade detection by SOC teams and defensive controls.
- Offensive Security Exploitation Expert (OSEE) or Offensive Security Defense Analyst (OSDA) certification.
- Demonstrated experience leading and facilitating purple team exercises, collaborating with blue team analysts and SOC personnel to design realistic attack scenarios, validate detection and response capabilities, and drive measurable improvements in defensive posture.
- Familiarity with the CDM (Continuous Diagnostics and Mitigation) program tools, their security implications, and their potential relevance as targets or intelligence sources during penetration testing engagements within a federal civilian agency environment.
- Experience with container security assessments and Kubernetes penetration testing, including the identification and exploitation of misconfigurations, insecure container images, and privilege escalation paths within containerized environments.
- Knowledge of adversarial machine learning techniques and their potential application in offensive security operations targeting AI/ML-enabled systems and decision-making processes.
- Experience conducting penetration testing within FedRAMP authorized cloud environments, with familiarity with FedRAMP authorization boundaries, inherited controls, and the security requirements applicable to penetration testing activities within FedRAMP boundaries.
- Familiarity with bug bounty program management and responsible disclosure practices, and experience contributing to or managing vulnerability disclosure programs within a federal or enterprise environment.
Our Equal Employment Opportunity Policy
The company is an equal opportunity employer. The company shall not discriminate against any employee or applicant because of race, color, religion, creed, ethnicity, sex, sexual orientation, gender or gender identity (except where gender is a bona fide occupational qualification), national origin or ancestry, age, disability, citizenship, military/veteran status, marital status, genetic information or any other characteristic protected by applicable federal, state, or local law. We are committed to equal employment opportunity in all decisions related to employment, promotion, wages, benefits, and all other privileges, terms, and conditions of employment.
The company is dedicated to seeking all qualified applicants. If you require an accommodation to navigate or apply for a position on our website, please get in touch with Heaven Wood via e-mail at accommodations@koniag-gs.com or by calling 703-488-9377 to request accommodations.
Koniag Government Services (KGS) is an Alaska Native Owned corporation supporting the values and traditions of our native communities through an agile employee and corporate culture that delivers Enterprise Solutions, Professional Services and Operational Management to Federal Government Agencies. As a wholly owned subsidiary of Koniag, we apply our proven commercial solutions to a deep knowledge of Defense and Civilian missions to provide forward leaning technical, professional, and operational solutions. KGS enables successful mission outcomes for our customers through solution-oriented business partnerships and a commitment to exceptional service delivery. We ensure long-term success with a continuous improvement approach while balancing the collective interests of our customers, employees, and native communities. For more information, please visit www.koniag-gs.com.
Equal Opportunity Employer/Veterans/Disabled. Shareholder Preference in accordance with Public Law 88-352
group id: 10201473