Principal Cloud/Web Penetration Tester

At Northrop Grumman, our employees have incredible opportunities to work on revolutionary systems that impact people's lives around the world today, and for generations to come. Our pioneering and inventive spirit has enabled us to be at the forefront of many technological advancements in our nation's history - from the first flight across the Atlantic Ocean, to stealth bombers, to landing on the moon. We look for people who have bold new ideas, courage and a pioneering spirit to join forces to invent the future, and have fun along the way. Our culture thrives on intellectual curiosity, cognitive diversity and bringing your whole self to work — and we have an insatiable drive to do what others think is impossible. Our employees are not only part of history, they're making history.

We build the most advanced technology solutions on, and off, Earth. Our products unfold the deepest mysteries of the Universe, vanish from radar, communicate when all else fails, and drive global security. We need good people to help those missions, and many more, be successful.

If you want to be a part of that, and have what it takes, you’re a unique breed. You’re the kind of person who can’t sleep when a problem is bugging you; to solve it you’ll teach yourself a new programming language, build your own frameworks, dismantle others’ tools to bend them to your will; you’ll want to share what you’ve learned because it’s just that cool.

Northrop Grumman is seeking creative, skilled and motivated Offensive Security professionals to join our Cyber Assessment Tiger Team (CATT) to conduct full-scope penetration testing to help find the holes in critical systems, products and networks before our adversaries can. This position is on a full-time permanent corporate team supporting the enterprise, not a contracts gig, focused primarily on cloud & web application penetration.

Duties include:

• Help our engineers and developers see through the eyes of the attacker.
• As part of a larger team, conduct analysis and penetration testing of myriad internal targets.
• Continually identify & engage targets of opportunity throughout the company. Think of it as an open bug bounty
• Exploit APIs, trust relationships and coding/implementation flaws in cloud infrastructures, containers/orchestration, applications, etc.
• Develop exploits for disclosed and undisclosed vulnerabilities.
• Prepare documentation, vetting, and weaponization of vulns for team use
• Advise and contribute to the Blue Teamers’ design, development, and implementation of countermeasures.
• Work with CATT teammates to develop tools and techniques that continually improve our effectiveness.

Basic Qualifications:

• First and foremost: be passionate, curious, diligent, and hungry for knowledge.
• Grasp security fundamentals and common vulnerabilities (e.g., OWASP Top Ten, MITRE ATT&CK) plus modern web app and enterprise app vulnerabilities.
• Have a solid understanding of AWS IAM, Lambda, S3, EC2, REST, OAUTH, etc.
• Be familiar with container solutions such as Docker, Kubernetes, App2Container, OpenShift, etc.
• Have experience writing scripts and exploit code. If you can share some samples, or have public projects, even better.
• Extensive technical computer/network knowledge and understanding of computer hardware, software, networks, communications, and connectivity.
• Proficiency in both Linux/Unix and Windows operating systems
• Experience conducting adversary emulation, including social engineering, server and client-side attacks, protocol subversion, physical access restrictions, web app and backend SQL exploitation, and remote C2.
• Proficiency in multiple common programming languages such as C, C++, C#, Go, Python, Ruby, Bourne/Bash, PowerShell, Visual Basic, VBScript, PHP, JavaScript, HTML
• Eligibility for a US security clearance

Preferred Qualifications:

• Relevant certifications such as OSCP/OSWA, GPEN/GXPN
• In depth understanding of layer 2-7 communication protocols, common encoding and encryption schemes and algorithms.
• Experience countering Advanced Persistent Threat (APT) type threats to large enterprises (USG or commercial) - familiarity with techniques and tools employed.
• Previous software development to support penetration testing including vuln dev, tool creation or modification, covert tunneling, scanning scripts, passive collection, reverse engineering, binary analysis, source code analysis, etc.
• Prior experience with modern enterprise hybrid network architecture
• Understanding of and experience either executing or defending against complex, targeted cyber threats to high-value systems and data.
• Familiarity with NIST Risk Management Framework (SP 800-53x, 800-171, etc.)
• Current TS/SCI w/ Poly Clearance or eligible and willing to go through the process to get one.

Salary Range: $115,200 USD - $172,800 USD

Employees may be eligible for a discretionary bonus in addition to base pay. Annual bonuses are designed to reward individual contributions as well as allow employees to share in company results. Employees in Vice President or Director positions may be eligible for Long Term Incentives. In addition, Northrop Grumman provides a variety of benefits including health insurance coverage, life and disability insurance, savings plan, Company paid holidays and paid time off (PTO) for vacation and/or personal business.

The health and safety of our employees and their families is a top priority. The company encourages employees to remain up-to-date on their COVID-19 vaccinations. U.S. Northrop Grumman employees may be required, in the future, to be vaccinated or have an approved disability/medical or religious accommodation, pursuant to future court decisions and/or government action on the currently stayed federal contractor vaccine mandate under Executive Order 14042 https://www.saferfederalworkforce.gov/contractors/.

Northrop Grumman is committed to hiring and retaining a diverse workforce. We are proud to be an Equal Opportunity/Affirmative Action Employer, making decisions without regard to race, color, religion, creed, sex, sexual orientation, gender identity, marital status, national origin, age, veteran status, disability, or any other protected class. For our complete EEO/AA and Pay Transparency statement, please visit http://www.northropgrumman.com/EEO. U.S. Citizenship is required for most positions.