Systems Security Specialist

Location:

• Baltimore, MD (local candidates only) Position Type: Hybrid Hybrid Schedule: 2 days onsite, 3 days remote Contract Length: 6 months + extensions Note: Must be flexible to work overtime, on-site/off-site, as needed, including weekends, holidays, and off-hours.

Position Overview:

• We are seeking a highly skilled Offensive Security Engineer to support enterprise cybersecurity initiatives through advanced penetration testing, red team operations, vulnerability assessments, and adversary emulation activities.
• This role is responsible for identifying and validating security risks across networks, applications, APIs, cloud platforms, and identity systems while providing actionable remediation guidance to technical and executive stakeholders.

Duties:

• Conduct internal and external penetration testing of networks, web applications, APIs, and cloud environments to identify security vulnerabilities and exploit paths.
• Perform red team engagements simulating real-world adversary tactics, techniques, and procedures (TTPs) aligned with MITRE ATT&CK.
• Execute vulnerability assessments and validate remediation efforts through retesting and technical verification.
• Develop comprehensive penetration testing reports, including executive summaries, risk ratings, proof-of-concept evidence, and actionable remediation guidance.
• Perform threat modeling and attack surface analysis to identify high-risk exposure areas and privilege escalation pathways.
• Conduct secure configuration reviews of operating systems, network infrastructure, cloud platforms, and identity systems.
• Evaluate application security through dynamic and manual testing techniques, including authentication, session management, input validation, and access control testing.
• Review source code for security weaknesses and secure coding gaps, particularly in C/C++, Python, Java, or similar languages.
• Develop and maintain custom scripts or tooling to automate testing activities and enhance offensive security capabilities.
• Support incident response activities by recreating attack chains, validating compromise scenarios, and identifying root causes.
• Assess Zero Trust implementations, micro-segmentation strategies, and identity-based security controls for effectiveness.
• Conduct phishing simulations and social engineering exercises to evaluate user awareness and organizational resilience.
• Provide technical briefings to executive leadership and technical stakeholders regarding risk posture and remediation prioritization.
• Collaborate with engineering, DevOps, and infrastructure teams to remediate identified vulnerabilities and strengthen security architecture.
• Contribute to the development of security policies, testing methodologies, and enterprise security standards.
• Support compliance efforts by mapping testing results to NIST, OWASP, CIS, or other applicable security frameworks.
• Participate in continuous improvement of penetration testing methodologies, tools, and adversary emulation strategies.
• Adhere to all security, change control, and MHBE Project Management Office (PMO) policies, processes, and methodologies.

Required Qualifications:

• 8+ years of progressive experience in cybersecurity. 5+ years of experience performing penetration testing or red team engagements. 5+ years of experience conducting network penetration testing, web application and API testing, internal and external vulnerability assessments, and threat modeling and attack path analysis. 5+ years of experience developing and delivering formal penetration test reports, including executive summaries and technical remediation guidance. 5+ years of experience supporting incident response investigations and validation testing. 5+ years of experience using common penetration testing tools such as Metasploit, Burp Suite, Nmap, Wireshark, and Nessus.
• Strong knowledge of secure coding practices, application security testing (SAST/DAST concepts), network architecture and segmentation, and identity and access management concepts. 5+ years of demonstrated scripting or development experience in at least one language such as Python, C/C++, PowerShell, or Bash. 5+ years of experience working with the NIST Cybersecurity Framework, NIST 800-53 or similar federal control frameworks, MITRE ATT&CK, and OWASP Top 10. 5+ years of experience mapping findings to security control frameworks.
• At least one recognized offensive security certification such as OSCP, GPEN, GXPN, or CEH; equivalent hands-on experience may substitute for certification.
• Demonstrated ability to communicate technical findings to executive and non-technical audiences and provide actionable remediation recommendations.
• Demonstrated experience working in government or highly regulated environments.

Preferred Qualifications:

• 10+ years of progressive experience in cybersecurity. 8+ years of experience in advanced offensive security, including leading red team engagements, performing adversary emulation exercises, conducting phishing and social engineering simulations, and performing purple team exercises. 5+ years of experience in Zero Trust and architecture, including designing or assessing Zero Trust implementations and evaluating micro-segmentation strategies and identity-centric controls. 5+ years of experience in cloud and modern infrastructure, including performing security assessments in AWS or Azure environments, containerized environments (Docker/Kubernetes), and Infrastructure-as-Code deployments. 5+ years of experience testing CI/CD pipelines. 10+ years of experience in software development, including strong low-level development knowledge in kernel, assembly, and embedded systems to support advanced exploit analysis. 10+ years of experience reviewing source code in Java or other compiled languages for vulnerabilities. 10+ years of experience supporting federal or state government security programs. 10+ years of familiarity with FedRAMP, FISMA, or IRS Publication 1075 environments.
• Powered by JazzHR