Senior Penetration Tester
We invite a Senior Penetration Tester to join our team. It's an office-based role – no remote or hybrid options.
This role involves leading end-to-end penetration testing engagements and performing security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices. You will also be responsible for discovering and exploiting vulnerabilities across real-money flows and partnering with various teams to translate findings into concrete fixes.
- Lead end-to-end penetration testing engagements across web applications, APIs, mobile, internal and external networks and cloud (primarily AWS).
- Run red-team and assumed-breach operations - initial access, privilege escalation, lateral movement, persistence, exfiltration - including against fraud and detection stacks.
- Perform security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices.
- Discover and exploit vulnerabilities across real-money flows - payments, deposits and withdrawals, wallets, KYC / AML, bonus systems, and affiliate tracking.
- Partner with product, engineering, AppSec, payments, and fraud teams to translate findings into concrete fixes and durable controls.
- Develop custom tooling, scripts, and methodology where no out-of-the-box approach exists.
- Build and validate declarative threat models and contribute to "secure by design" practice.
- Mentor mid and junior testers, review their engagement plans and reports.
- Track new CVEs, TTPs, MITRE ATT&CK updates, and regulator advisories - translate them into concrete changes here.
- Support pre-sales scoping, effort estimation, and pre-certification engagements for new products and jurisdictions.
- Serve as a trusted offensive-security advisor to product, engineering, and compliance teams.
- Minimum 4 years of hands-on penetration testing or offensive-security experience.
- Proven track record across at least three of: web / API, internal, external network, cloud (AWS / GCP), mobile (iOS / Android).
- OSCP or an equivalent in-the-box certification.
- Strong working knowledge of SAST/SCA/DAST tooling, AWS/GCP, MITRE ATT&CK, OWASP ASVS / WSTG, PTES.
- Understanding of the data flow, MVC model.
- Understanding of supply chain attacks.
- Good reporting skills.
- Comfortable scripting in Python plus Bash.
- Knowledge at least one of major cloud provider's IAM model.
- Experience pentesting cloud-native systems and Kubernetes environments, plus the CI/CD pipelines around them (GitLab, GitHub Actions, Jenkins) and IaC (Terraform, Helm, CloudFormation).
- Strong written and verbal communication in English .
- Experience balancing security and business demands under release pressure.
- Familiarity with industry regulations, frameworks, and practices: PCI DSS, ISO 27001, NIST, GDPR .
- Career growth opportunities in an international and dynamic environment;
- Opportunity to develop language skills with partial compensation for language courses;
- Special gifts for birthdays, weddings, and newborns;
- 20 working days of paid annual vacation, plus 6 paid sick leave;
- Office snacks and refreshments;
- Sports package to support a healthy lifestyle;
- Comprehensive medical insurance for you and your partner;
- Comfortable office with great facilities in a prime location;
- Exciting corporate events, team-building activities, and international company parties.
BrainRocket is a software development and design company founded in 2020 and headquartered in Limassol, Cyprus. It builds end-to-end technology products across industries including iGaming, fintech and marketing, covering platform development, payments, CRM, data and AI. The company employs more than 1,300 people, with additional offices in Malta, Poland, Portugal and Serbia, and has delivered over 100 products across 20 markets. BrainRocket positions itself as a full-cycle technology partner engineering software built for scale and performance.




