Vulnerability Engineer / Security Tester - +5 years - Contractor in USD

For our international customer, we are looking for a full-remote Vulnerability Engineer / Security Tester. Candidates need to be flexible to work across time zones, including alignment with US Eastern Time where required. Candidates need to be fluent in English.

Tasks and responsibilities: Execute and support application vulnerability assessments (SAST, DAST, SCA, and manual code review), ensuring findings are accurate, actionable, and relevant to application risk; Validate scanner results, perform false-positive analysis, and track findings through remediation, including retesting to confirm effective fixes; Manage multiple application security initiatives concurrently while meeting strict timelines in a fast paced environment; Prioritize vulnerabilities based on business impact, exploitability, exposure, and likelihood, using industry best practices (e.g., CVSS scoring); Develop and maintain dashboards and reports tracking vulnerability metrics such as severity distribution, remediation SLAs, and mean time to remediation (MTTR); Support the integration of security scanning and vulnerability workflows into CI/CD pipelines, leveraging existing tooling and automation; Facilitate remediation planning by providing actionable recommendations and coordinating root cause analysis; Support threat modeling and application risk assessments, with a focus on discovering insecure design patterns; Participate in high‑severity or zero‑day vulnerability response activities, including impact analysis and coordinated remediation efforts, as needed; Provide input into policies and standards related to application and cloud security controls; Profile: Bachelor or Master degree in Information Technology, Cybersecurity, Computer Science, or related discipline—or equivalent professional experience; +5 years of relevant experience in application security and/or vulnerability management; Solid understanding of common vulnerability classes (e.g., OWASP Top 10) and secure architecture principles; Proficiency in using Burp Suite for manual security testing of web applications and APIs, including validation of automated findings and identification of complex authentication, authorization, and business‑logic vulnerabilities; Hands-on experience with tools such as Burp Suite, Fortify, Checkmarx, SonarQube, Black Duck, Tenable, and common network discovery tools (e.g., Nmap); Familiarity with NIST, MITRE ATT&CK, and CIS benchmarks; Programming/scripting proficiency in languages such as Python, Java, .NET, or similar; Excellent documentation, communication, and stakeholder engagement skills; Fluent in English; Desirable: Professional certifications (e.g., Security+, SSCP, GWAPT, or pursuing CISSP, OSCP). Experience using the ServiceNow platform for vulnerability or incident tracking. Proficiency in Azure cloud and Azure DevOps environments.

Experience using Power BI or similar tools to visualize vulnerability metrics and remediation trends for technical and non-technical stakeholders.