The Role:
This role strengthens GM’s protection, detection, and response capabilities by simulating real-world attacker objectives and actions across GM’s technology landscape. You will plan and execute hands-on penetration tests, uncover root causes, and drive actionable remediation with engineering partners. The ideal candidate operates with minimal guidance, communicates clearly, and delivers high-quality, evidence-backed results.
What You'll Do (Responsibilities):
- Plan, scope, and execute application penetration tests (lead and supporting roles) across web, API, and mobile surfaces; incorporate relevant code, pipeline, and infrastructure review to map end-to-end attack paths.
- Perform authenticated and unauthenticated testing using industry-standard techniques; develop targeted tests and proof-of-concepts to validate exploitability and business impact.
- Document clear, reproducible findings with severity, impact, and pragmatic remediation guidance; deliver concise readouts to technical and non-technical stakeholders.
- Validate fixes and risk reductions, ensuring sustainable remediation and knowledge transfer to engineering teams.
- Collaborate with internal stakeholders on external vulnerability reports received through the company’s responsible disclosure program and help reduce recurring patterns.
- Contribute to safe test automation and scale (e.g., authenticated testing orchestration, repeatable workflows, CI/CD touchpoints) to improve coverage and consistency.
- Maintain awareness of emerging threats, testing techniques, and common weaknesses; advocate for secure-by-design patterns and developer enablement.
Your Skills & Abilities (Required Qualifications):
- 2+ years of hands-on experience in penetration testing, security assurance, or vulnerability management, including white-box or gray-box testing
- Solid understanding of web and API security concepts (authentication/SSO, session management, injection classes, deserialization, SSRF, RCE, access control)
- Proficiency applying industry-standard offensive testing methods and authenticated testing setups; ability to create high-quality test cases and execute both manual and automated assessments
- Experience writing professional-grade penetration test reports and presenting findings/readouts to diverse audiences
- Broad familiarity with operating systems, networks, and cloud-native architectures; ability to reason about upstream/downstream dependencies and systemic risk
People Skills:
- Strong written and verbal communication skills; able to translate complex technical issues into actionable guidance
- High integrity handling confidential and sensitive information; capable of managing multiple engagements, priorities, and deadlines with minimal supervision
What Will Give You A Competitive Edge (Preferred Qualifications):
- Bachelor’s degree in Computer Science, Cybersecurity, Information Technology, or a related technical discipline
- Experience responsibly developing or adapting exploits and proof-of-concepts to validate risk
- Recognized certifications (e.g., OSCP, GIAC, CISSP, or equivalent)
- Experience with mobile or AI/LLM application testing, red teaming/threat hunting collaboration, or building repeatable pentest/CI/CD integrations
#LI-DH2
