Location: Hybrid / On-site at client locations as required
Department: Offensive Security & Adversary Simulation

About Malleum

The Opportunity

We're seeking a Penetration Tester to deliver hands-on offensive security engagements across client networks, applications, cloud environments, and operational technology. You'll work directly within client environments - including sovereign, regulated, and cleared settings - emulating real-world adversaries, documenting findings, and partnering with clients to drive meaningful remediation.

This is a hands-on consulting role for a practitioner who blends deep technical tradecraft with strong client presence and the discipline to deliver findings clearly, safely, and on schedule.

What You'll Do

• Plan, scope, and execute penetration tests across external, internal, web application, API, mobile, cloud (Azure / AWS / GCP), wireless, and Active Directory targets
• Conduct red team and adversary emulation engagements aligned to MITRE ATT&CK, executing realistic TTPs against client environments
• Perform assumed-breach assessments, internal pivoting, privilege escalation, and lateral movement exercises
• Support purple team exercises in partnership with client SOC and Malleum's IR practice to improve detection and response
• Execute social engineering campaigns (phishing, vishing, physical) where contracted, with rigorous rules of engagement
• Conduct cloud configuration reviews against CIS Benchmarks, CSA CCM, and provider-specific baselines
• Support OT / ICS / SCADA security testing for defense and critical-infrastructure clients (with appropriate safety controls)
• Develop custom tooling, scripts, and payloads (PowerShell, Python, C#, Go) to evade modern EDR and ZTNA controls during sanctioned engagements
• Produce high-quality client deliverables: executive summaries, technical findings, reproduction steps, evidence, CVSS-scored risk ratings, and pragmatic remediation guidance
• Deliver findings briefings to client stakeholders — from engineers to executive leadership and boards - with clarity and professionalism
• Contribute to scoping, estimation, statements of work, and continuous improvement of Malleum's offensive security service offerings
• Maintain meticulous engagement hygiene: rules of engagement, scope control, evidence handling, and safe-listing coordination
• Participate in research, internal tooling development, CTFs, and conference contributions to grow Malleum's offensive capability and brand

• 4+ years of professional penetration testing or red team experience, ideally in a consulting, MSSP, or in-house offensive security team
• Demonstrated success working directly with clients - strong communication, professionalism, and stakeholder management skills
• Deep working knowledge of network, web application, and Active Directory attack paths (Kerberoasting, AS-REP roasting, NTLM relay, ADCS abuse, BloodHound-driven pathing)
• Hands-on proficiency with offensive tooling: Burp Suite Pro, Nmap, Nessus / Nuclei, Metasploit, Cobalt Strike, Sliver, Mythic, Impacket, BloodHound, CrackMapExec / NetExec, Responder, Mimikatz, and modern C2 frameworks
• Strong scripting skills in Python, PowerShell, and Bash; comfort reading and modifying C#, Go, or Rust tooling
• Experience evading or bypassing EDR (Defender, CrowdStrike, SentinelOne), AMSI, and modern Windows defenses
• Familiarity with cloud attack paths in Azure / Entra ID (Pass-the-PRT, illicit consent grants, managed identity abuse) and AWS (IAM privilege escalation, metadata service abuse)
• Solid grasp of ZTNA and identity-aware perimeters (e.g., Cloudflare Access, Zscaler, Entra Conditional Access) and how they reshape attacker tradecraft
• Comfort emulating adversary TTPs mapped to MITRE ATT&CK and known threat-actor playbooks
• Familiarity with testing standards: PTES, OWASP WSTG / MASTG / ASVS, NIST SP 800-115, OSSTMM
• Awareness of compliance contexts that frame client expectations: PCI DSS, SOC 2, NIST 800-171 / CMMC, CPCSC, ITSG-33, ISO 27001:2022
• Certifications such as OSCP, OSEP, OSWE, OSCE3, CRTO, CRTL, GPEN, GXPN, GWAPT, GMOB, GCSA / GPCS / GCLD (cloud), AWS Certified Security – Specialty, Microsoft SC-100 / AZ-500 strongly preferred; OSCP or equivalent practical certification (e.g., CRTO, HTB CPTS, PNPT) is a baseline expectation
• Demonstrated ability to perform under pressure - calm, methodical, and ethical when engagements surface sensitive findings
• Willingness and availability to work odd hours and extended shifts when supporting time-boxed red team windows, after-hours testing, or rapid-response offensive support during active IR matters
• Comfort working across multiple client environments, tooling stacks, and rules-of-engagement simultaneously
• Eligibility for Government of Canada security clearance (Secret or higher); existing clearance highly valued; or controlled-goods registration considered an asset
• Bilingualism (English/French) considered a strong asset

Why Malleum

• Test the systems behind programs with genuine national and allied security impact - across aerospace, defense, and critical infrastructure
• Join a rapidly scaling firm with a flat, high-trust culture and direct access to senior offensive, IR, and engineering leaders
• Exposure to a wide variety of advanced targets, sectors, and cleared environments
• Dedicated research time, lab budget, and support for conference talks, CVE research, and open-source contributions
• Competitive compensation, performance incentives, and comprehensive benefits
• Continuous learning budget, certification sponsorship (OSCP, OSEP, OSWE, CRTL, SANS), and clear paths into senior red team, exploit development, or offensive research specializations