Jobs Career Advice Post Job
X

Send this job to a friend

X

Did you notice an error or suspect this job is scam? Tell us.

  • Posted: Jul 6, 2026
    Deadline: Not specified
    • @gmail.com
    • @yahoo.com
    • @outlook.com
  • We bring an Out of the Ordinary approach to creating and managing wealth. Founded in South Africa as a small finance company, today we offer clients our services as a global bank and asset management group. Follow us on LinkedIn for unique insights from leading minds within the world of finance and Out of the Ordinary stories about our people, communit...
    Read more about this company

     

    Penetration Tester (Group Tech - Information Security)

    Description

    • The Senior Penetration Tester is responsible for identifying, validating, and clearly communicating security vulnerabilities across Investec's applications, APIs, cloud-hosted services, and supporting infrastructure.
    • The primary focus of the role is application security and penetration testing of modern web applications, APIs, and services deployed in Azure. The role also requires a strong understanding of identity and access attack paths, including Active Directory, Microsoft Entra ID, authentication flows, privilege escalation, and related cloud identity risks.
    • The role works closely with development teams, platform teams, architects, and security stakeholders to plan and execute assessments, explain real-world risk, and support effective remediation. The successful candidate will combine hands-on offensive security testing with practical engineering enablement, helping teams improve security while supporting delivery.
    • Red team and adversary simulation experience is advantageous, but the primary focus of the role is structured penetration testing.

    Key responsibilities

    Penetration Testing and Offensive Security

    • Plan, scope, and execute penetration tests focused on web applications, APIs, and Azure-hosted services. 
    • Identify and safely validate vulnerabilities, including complex or chained attack paths, to demonstrate realistic impact. 
    • Conduct manual testing beyond automated scanning, with appropriate rules of engagement and care for production systems. 
    • Capture clear evidence of findings, exploitability, impact, and remediation validation. 

    Web, API and Application Testing

    • Perform in-depth security testing of web applications and APIs, particularly modern Angular, .NET, and Azure-hosted environments. 
    • Assess application architecture, authentication, authorisation, API integrations, data flows, and trust boundaries. 
    • Test for common and complex application security issues, including access control flaws, injection, insecure configuration, SSRF, insecure deserialisation, and business logic weaknesses. 
    • Provide developers with practical remediation guidance and contribute to reusable AppSec testing patterns and methodologies. 

    Azure, Identity and Supporting Infrastructure Testing

    • Assess Azure-hosted application environments, including identity, access control, managed identities, secrets handling, storage exposure, networking, and privilege escalation paths. 
    • Evaluate identity-related attack paths across Active Directory, Microsoft Entra ID, hybrid identity, service principals, privileged roles, conditional access, and authentication mechanisms. 
    • Test supporting infrastructure where it is relevant to application security, identity exposure, or platform risk. 
    • Apply red team or adversary simulation techniques where appropriate, while recognising that full-scope red teaming is not the primary focus of the role. 

    Reporting, Remediation and Risk Communication

    • Produce clear penetration testing reports that explain findings, evidence, exploitability, risk, and impact. 
    • Translate technical vulnerabilities into actionable and prioritised remediation guidance. 
    • Communicate risk in terms of realistic attack paths, affected systems, business impact, and control weaknesses. 
    • Work with development, architecture, platform, and security teams to track, retest, and validate remediation. 

    Security Enablement and Collaboration

    • Work closely with developers, architects, platform engineers, and security stakeholders to improve application security maturity. 
    • Support secure engineering practices across CI/CD pipelines, cloud deployment patterns, infrastructure as code, secrets management, and release processes. 
    • Contribute to application security standards, testing patterns, secure development guidance, and operational processes. 
    • Support peer review, methodology sharing, and technical guidance within the security team. 

    Qualifications, Experience and Skills

    • Bachelor's degree in Computer Science, Information Technology, Engineering, Cyber Security, or a related discipline, or equivalent practical experience. 
    • Proven hands-on penetration testing experience, with strong depth in web application and API testing. 
    • Practical experience testing modern applications, preferably Angular, .NET, REST APIs, and Azure-hosted services. 
    • Strong understanding of secure software delivery and the ability to engage effectively with development teams. 
    • Experience working in enterprise environments where security, delivery, risk, and operational stability must be balanced. 

    Relevant Certifications

    Desirable certifications include: 

    • OSCP, OSWE, OSEP, or equivalent offensive security certifications. 
    • Microsoft Azure, cloud security, application security, or identity-focused certifications. 
    • Red team certifications such as CRTO or CRTL are advantageous. 
    • Equivalent practical experience will be considered alongside formal certifications. 

    Technical Skills and Experience

    Required

    • Strong hands-on application and API penetration testing experience. 
    • Deep familiarity with web and API security issues, including OWASP Top 10, authentication and authorisation flaws, injection, insecure configuration, and business logic weaknesses. 
    • Working knowledge of modern web application architectures, particularly Angular, .NET/C#, TypeScript, REST APIs, and Azure-hosted application services. 
    • Ability to read and reason about application code, configuration, logs, and deployment artefacts. 
    • Practical Azure security testing experience, particularly around application hosting, identity, access control, managed identities, networking, storage, and secrets. 
    • Good understanding of Active Directory, Microsoft Entra ID, hybrid identity, authentication protocols, privilege escalation, and identity-based attack paths. 
    • Understanding of CI/CD pipelines, cloud-native deployment patterns, infrastructure as code, secrets management, and common software delivery risks. 
    • Scripting and automation ability using PowerShell, Bash, Python, or similar technologies. 
    • Experience with tools such as Burp Suite, Nmap, BloodHound, and relevant cloud or identity assessment tooling. 

    Advantageous

    • Exposure to Java application environments. 
    • Experience with red teaming, adversary simulation, assumed breach testing, or purple team exercises. 
    • Exposure to AWS, Oracle Cloud, wireless testing, or broader infrastructure penetration testing. 
    • Familiarity with OWASP, MITRE ATT&CK, and relevant cloud security benchmarks. 
    • Experience developing reusable security testing tooling, scripts, or methodologies. 

    Check how your CV aligns with this job

    Method of Application

    Interested and qualified? Go to Investec on careers.investec.co.za to apply

    Build your CV for free. Download in different templates.

  • Send your application

    View All Vacancies at Investec Back To Home
  • Popular Jobs

Career Advice

View All Career Advice
 

Subscribe to Job Alert

 

Join our happy subscribers

 
 
 
Send your application through

GmailGmail YahoomailYahoomail