Penetration Tester

Merrifield, Virginia, United States

Full Time
phia LLC logo
phia LLC
Apply now Apply later

Posted 1 month ago

OVERVIEW: Have you ever wanted to work for a company where you felt like part of a family? Wouldn’t it be great if you could just grab a cup of coffee with an executive team member, or have one of your achievements recognized personally by one of the owners of the company? Imagine how much you could grow if the company you worked for had in-house mentors who really cared about your goals. When you join the phia Phamily, this is what you’ll encounter!

phia, LLC is hiring a skilled PCI Penetration Tester for **Limited scope engagement – Surge support** to engage in penetration testing, processes and procedures. The work will begin around the first of the year with deliverables due in February. There may be additional engagements after February, pending the results of the initial testing. The penetration tester will provide technical security assessments of applications and infrastructure, security design reviews as well as risk assessments. This is a hands-on role, requiring technical skills from the hardware to the application layer. This position is in Merrifield, VA or Eagan, MN.


  • Performs assessments of systems and networks within the enterprise and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy.
  • Measures effectiveness of defense-in-depth architecture against known vulnerabilities and attack techniques.
  • Conduct and/or support authorized penetration testing on enterprise network assets with a focus on application security.
  • Define procedures for penetration testing assessment for servers, endpoints, network appliances, and applications.
  • Perform application security assessments of key business services and provide written reports on the security posture of those systems.
  • Collaborate with SOC and threat intelligence analysts to identify and defend against common attack vectors.
  • Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions.
  • Advise government leadership on Plans of Action and Milestones (POA&Ms) for vulnerability remediation.



  • 5+ years of experience
  • Bachelor’s Degree, Master’s Degree, PhD or JD in a technical specialty such as cyber security, computer science, management information systems or related IT field.
  • Diverse experience in cyber security vulnerability assessments with a focus on application security assessments, or equivalent combination of education and work experience.
  • Ethical hacking experience including experience in Information Security, application vulnerability testing, code-level security auditing, and secure code reviews.
  • Must reside within commutable distance to Merrifield, VA or Eagan, MN


Knowledge of:

  • system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • laws, regulations, policies, and ethics as they relate to penetration testing.
  • ethical hacking principles and techniques.
  • risk management processes (e.g., methods for assessing and mitigating risk).
  • application Security Risks (e.g. Open Web Application Security Project Top 10 list).
  • different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
  • cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
  • cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
  • network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  • network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
  • programming language structures and logic.

Skill in:

  • conducting application vulnerability assessments.
  • mimicking threat behaviors.
  • use of penetration testing tools and techniques.
  • use of social engineering techniques. (e.g., phishing, baiting, tailgating, etc.).
  • using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.).
  • performing impact/risk assessments.
  • develop insights about the context of an organization’s threat environment.

Ability to:

  • identify systemic security issues based on the analysis of vulnerability and configuration data.
  • apply programming language structures (e.g., source code review) and logic.
  • share meaningful insights about the context of an organization’s threat environment that improve its risk management posture.

WORK SCHEDULE: Varies dependent upon test cycle


TELEWORK ELIGIBILITY: Full/Frequent remote capability during the pandemic/ subject to change.

SECURITY REQUIREMENTS: Top Secret/ SCI or eligibility to obtain a security clearance



phia, LLC is a Northern Virginia based, 8a certified small business that was established in 2011. We focus on the full spectrum of disciplines within the cyber, intelligence, and technology arenas.

We support mission-critical teams within various agencies and offices within the Federal government, including Civilian, Defense, Law Enforcement and Intel. We like to describe phia as truly by technical people and for technical people. phia’s founders wanted to create an employee-centered culture, where we care about the people as much as the mission.

Our goal is to continue to hire talented and passionate team members, who desire to grow their skillsets as well as the reputation of the company with our partners, clients and stakeholders. With this goal in mind, we invite you to apply for positions, even if you don't meet the desired years of experience listed in our position descriptions. We are more interested in intellectually curious individuals with the ability to work autonomously and with teams. If your experience does not match our exact requirements of a position but you are otherwise an awesome candidate, we will work hard to find a position that suits you.

Our company culture is unique; we consider everyone on the team a part of the “phia phamily”. We make great efforts to foster cohesiveness through one-on-one interactions, professional mentoring, and group outings. In short, our leadership team is personally invested in each employee. phia offers a rewarding environment with talented & passionate people.

phia offers excellent benefits for full time W2 candidates to enhance the work-life balance, these include the following:

  • Medical Insurance
  • Dental Insurance
  • Vision Insurance
  • Life Insurance
  • Short Term & Long-Term Disability
  • 401k Retirement Savings Plan with Company Match
  • Paid Holidays
  • Paid Time Off (PTO)
  • Tuition and Professional Development Assistance
  • Flex Spending Accounts (FSA)
  • Parking Reimbursement
  • Monthly Payroll
Job tags: Architecture Auditing CISM CISSP Clearance Ethical hacking GIAC Network security Nmap OSCP PCI Penetration Tester Penetration testing Security assessments Security Clearance Threat intelligence Top Secret Vulnerabilities
Share this job: