PlutoSec is a Canadian-based cybersecurity consulting firm specializing in manual-first penetration testing. We work with startups, enterprises, and regulated organizations across web, network, cloud, and API environments. Our focus is depth, realism, and real-world attack simulation — not just automated scans.
Job DescriptionWe are looking for an experienced Manual Penetration Tester with a strong offensive security mindset. This role is ideal for someone who enjoys deep manual testing, exploit validation, and producing high-quality, actionable reports.
GPEN certification is mandatory.
Key Responsibilities- Perform manual penetration testing for:
- Web applications
- APIs (REST / GraphQL)
- Internal & external networks
- Cloud environments (AWS / Azure / GCP)
- Conduct attack simulations aligned with:
- OWASP Top 10
- NIST SP 800-115
- PTES
- MITRE ATT&CK
- Validate vulnerabilities with real-world proof-of-concepts (PoCs)
- Identify business logic flaws and chained attacks
- Write clear, professional penetration testing reports with remediation guidance
- Work closely with internal teams and clients during remediation and retesting
Required Qualifications- GPEN (GIAC Penetration Tester) – Required
- Strong hands-on experience with manual testing (not scan-only)
- Solid understanding of:
- Web application security
- Authentication & authorization flaws
- API security
- Network protocols & exploitation
- Experience with tools such as:
- Burp Suite Pro
- Nmap
- Metasploit
- Nuclei
- Custom scripts & tooling
- Ability to explain technical risks to non-technical stakeholders
Nice to Have- OSCP, GWAPT, or CRTO
- Cloud security testing experience
- Secure code review exposure
- Experience working with SOC 2 / ISO 27001 clients
What We Offer
- Competitive compensation (project-based or salary)
- Exposure to real-world, high-impact security engagements
- A technical, no-nonsense security team that values quality over volume
- Long-term growth opportunities
