Lead Penetration Test Engineer

Lead Penetration Test Engineer Hybrid 2 days per week onsite at one of the following US sites: Boston, MA; Chicago, IL; Dallas, TX; Houston, TX; Englewood, CO; Raleigh, NC; Princeton, NJ; New York, NY; Southfield, MI; Washington, DC. Canada sites: Toronto, ON; Calgary, AB. The S&P Ratings Security team focuses on protecting our clients and users from modern security threats. Our mission is to safeguard systems and data by developing innovative solutions to the industry’s most complex security challenges. Responsibilities and Impact We are seeking a Lead Penetration Test Engineer with extensive experience in penetration testing and offensive security. The ideal candidate will conduct penetration tests, re-testing, vulnerability scanning, and threat assessments across diverse environments. This role requires strong offensive security skills combined with cloud and application security expertise to identify vulnerabilities and develop effective mitigation strategies. Penetration Testing & Vulnerability Assessments Conduct comprehensive penetration testing of web applications, infrastructure, and cloud environments using both manual and automated techniques. Develop custom scripts, tools, and methodologies to enhance penetration testing capabilities and automate security testing within CI/CD pipelines. Apply cloud‑specific offensive techniques, including IAM abuse, container and serverless exploitation, and cloud misconfiguration testing. Vulnerability Management & Remediation Collaborate with engineering and development teams to analyze vulnerabilities, develop remediation plans, and strengthen application security across development and production lifecycles. Perform detailed security assessments using DAST, SAST, and SCA tools to ensure continuous validation and improvement of security controls. Attack Simulations & Research Lead and participate in attack simulations and tabletop exercises to validate security controls and improve organizational response capabilities. Research emerging threats, attack vectors, and adversarial techniques to inform offensive and defensive strategies. Partner with internal teams to design and execute threat assessments based on intelligence feeds and threat actor analysis. Security Communication & Reporting Communicate and present penetration testing and security assessment findings to both technical and non‑technical stakeholders. Provide actionable remediation guidance and risk mitigation strategies to strengthen the organization’s overall security posture. What We’re Looking For Basic Required Qualifications Bachelor’s degree in Computer Science, Information Systems, or a related field, or equivalent experience. Minimum 8 years of experience in information security with a strong focus on penetration testing, application security, and vulnerability management. Hands‑on experience with penetration testing tools (e.g., Burp Suite, Nessus, Metasploit, Nmap) and methodologies (e.g., OWASP Top 10, MITRE ATT&CK, PTES). Expertise in identifying and exploiting common infrastructure and web application vulnerabilities (e.g., XSS, SQL Injection, IDOR). Familiarity with vulnerability classification and scoring frameworks (CVE, CVSS, CWE). Strong scripting or programming skills (e.g., Bash, Python, Go, PowerShell, JavaScript). Experience performing security assessments (DAST, SAST, SCA, credential scanning) and integrating security testing into CI/CD pipelines. Ability to translate complex technical findings into clear, actionable reports and confidently brief cross‑functional teams and executives. At least one recognized offensive security certification (OSCP, OSCE3, OSEP, GXPN, GPEN, or CREST CRT/CCT). Preferred Qualifications Experience with cloud security across AWS, Azure, or GCP. Knowledge of AI/ML security and adversarial testing methods, including evaluating LLMs and other models for manipulation, evasion, and data integrity risks. Demonstrated involvement in the infosec community (e.g., open‑source projects, bug bounties, CVE research, conference talks, or security publications). Experience applying the MITRE ATT&CK Framework to offensive security operations and threat emulation. Familiarity with secure software development practices and the software development lifecycle. Experience with Java application technologies, deployment frameworks, and associated security best practices. Ability to work collaboratively across teams while independently owning deliverables and maintaining accountability to deadlines. Right to Work Requirements US candidates must have an indefinite right to work within the United States. Canada candidates must have an indefinite right to work within Canada. Compensation and Benefits US Applicants Only Anticipated base salary range: $135,000 USD – $200,000 USD, based on geographic location, experience, and qualifications. Eligible for additional S&P Global benefits. Canada Applicants Only Anticipated compensation range: 135,000 CAD to 180,000 CAD, based on performance, geographic location, skills, and certifications. S&P Global will not utilize artificial intelligence in the hiring process. Hiring decisions will be communicated within 45 days of interview. Equal Opportunity Employer S&P Global is an equal opportunity employer and all qualified candidates will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, marital status, military veteran status, unemployment status, or any other status protected by law. Only electronic job submissions will be considered for employment. #J-18808-Ljbffr S&P Global