Specialist, Penetration Tester

Join to apply for the Specialist, Penetration Tester role at KPMG US.

KPMG Advisory practice is currently our fastest growing practice. We are experiencing tremendous client demand and expect this to continue. Our professionals must be adaptable and thrive in a collaborative, team-driven culture. At KPMG, our people are our top priority. We offer numerous learning and career development opportunities, a world-class training facility, and leading market tools to support professional and personal growth. If you seek a firm with a strong team connection where you can be your authentic self, make an impact, enhance your skills, and explore new areas of inspiration, consider a career in Advisory.

KPMG is seeking a Specialist, Penetration Tester to join our Managed Services practice.

1. Perform automated application and network penetration tests to discover and exploit vulnerabilities in web applications, internal applications, APIs, internal and external networks, and mobile applications.
2. Conduct dynamic application security tests on web applications.
3. Implement static application security tests on source code, identify false positives, and reprioritize findings based on severity.
4. Execute vulnerability analysis against internal and external networks using automation techniques and solutions.
5. Progress to executing independently in either application or network domains within one year of service.
6. Act with integrity, professionalism, and personal responsibility to uphold KPMG's respectful and courteous work environment.

• Minimum one year of recent experience with application and/or network penetration tools such as AppScan, NetsSparker, Acunetix, BurpSuite, OWASP ZAP, Tenable Nessus, Qualys, Kali Linux, Metasploit, or equivalent; experience with technical and non-technical audiences in reporting results and leading remediation discussions.
• Bachelor's degree from an accredited institution or equivalent industry experience.
• Background in mobile application testing, manual code analysis, or static analysis using tools like Veracode, Fortify, SonarQube, Checkmarx, Contrast, or similar.
• Experience with programming languages such as Python, JavaScript, PHP, C/C++, SQL, or others.
• Ethical hacking certifications (e.g., CEH, GWAPT, GPEN, OSCP, OSWA) are a plus but not required.
• Ability to travel as necessary.
• Authorized to work in the U.S. without sponsorship now or in the future; no visa sponsorship available.