Engineer I (Offensive Security), Information Security Assurance & Response

Position Summary:

The Offensive Security Engineer I operates, monitors, and improves information security processes and systems that protect the Bank’s data, customers, and computer systems from business disruption, data/identity compromise, cyber fraud, and regulatory criticism. This role focuses on application and development security, application penetration testing capabilities, and cloud infrastructure/platform security.

Essential Functions:

Key Offensive Security responsibilities include:

• Conducting Red Team Exercises to simulate Advanced Persistent Threats (APTs) against web, mobile, and cloud-based applications to identify security weaknesses and assess the effectiveness of security controls.
• Perform in-depth manual and automated penetration testing against Cloud and On Prem Networks and applications to discover vulnerabilities and weaknesses that could be exploited.
• Work with development teams to identify potential security threats early in the software development lifecycle (SDLC) and provide recommendations to mitigate risks.
• Develop and enhance tools, scripts, and frameworks to automate testing and reporting processes, including setting up continuous integration (CI) security checks.
• Document findings in detailed, actionable reports for both technical and non-technical stakeholders. Communicate effectively with developers, engineers, and executive leadership on remediation strategies.
• Collaborate with Blue Team (defensive security), DevOps, and engineering teams to improve detection and response capabilities.
• Stay updated on the latest security threats, vulnerabilities, and exploits, and apply this knowledge to enhance Red Team operations.

Each Security Engineer is also responsible to cross-train and be familiar with other security functions as assigned:

• Security Monitoring & Response - Detects and responds to security events by identifying, reporting, mitigating, and recovering from security incidents.
• Security Control Engineering and Operations - Enables and protects business services with appropriate access, endpoint, network, data storage, and data loss prevention controls, including vulnerability and controls testing.
• Security Risk & Program Management - Assesses and advises technology and business groups by identifying, prioritizing, managing, and reporting security risk.
• Performs other duties as assigned.

Compliance with Laws & Regulations: 

• Responsible for complying with all of the Bank’s internal control policies and procedures.
• Responsible for understanding and complying with all laws and regulations to which the Bank is subject.
• Responsible for communicating problems in operations, noncompliance with the code of conduct, noncompliance with laws and regulations, policy violations, or illegal acts. 

Education and Experience:

• Associate’s degree in computer science, Cybersecurity, Information Security, or a related field. Equivalent experience will also be considered. Work experience or individuals pursuing a bachelor’s degree will also be considered in lieu of a degree.
• 0-3+ years of experience in application security, penetration testing, or Red Team operations.

Summary of Qualifications:

• Familiarity in programming/scripting languages such as C#, Python, JavaScript, PowerShell, Bash, or other relevant to security testing.
• Foundational Linux skills.
• Demonstrated skills with security concepts, defense-in-depth strategies, security tools, and protocols.
• “White-hat” mentality, with a healthy sense of paranoia (security awareness and risk).
• Positive, inquisitive, can-do attitude.
• Self-starter, requires minimal oversight to perform as expected, work well independently and as part of a team.
• Comfortably perform well under pressure, deliver to commitments on tight deadlines.
• Meticulous attention to detail.
• Passion for cybersecurity and technology trends, news, and hacking techniques.