Senior Security Engineer - Penetration Tester

Job DescriptionAs the Senior Security Engineer on our team, you will work very closely with security applications and more specifically our penetration testing program, red teaming, dynamic application security testing program, as well as our broader application security program.You will be part of an experienced team of skilled penetration testers. You'll participate in all phases of penetration testing as well as other individual and team-based work all focused on the information security of our enterprise. This is an exciting opportunity for an appropriately experienced penetration this opportunity you will also:tProtect money movement, Healthcare and other sensitive consumer information.tBe a part of transforming Healthcare in America.tBe a part of expanding opportunities to test Application Programming Interfaces (APIs), cloud, Industrial Control Systems (ICS), web tags, and Internet of Things (IoT).tCollaborate with many other bright and experienced security professionals, application developers and data scientists.This position is available fully remote anywhere in the United States.Pay RangeThe typical pay range for this role is:Minimum: 95,000Maximum: 209,000Please keep in mind that this range represents the pay range for all positions in the job grade within which this position falls. The actual salary offer will take into account a wide range of factors, including location.Required Qualificationst8+ years of information security experience t4+ years of penetration testing experience.t8+ years of professional experience penetration testing both web applications, and networks.t4+ years of experience assessing web applications using automated and manual techniques to identify web application vulnerabilities.t3+ years of experience with penetration test report writing.t2+ years of experience with penetration test report review/QA experience (reviewing other testers reports).t4+ years of experience conveying/explaining penetration test results to clients, IT leaders, application teams, engineers, and analysts either technically or non-technically (dependent upon audience).COVID RequirementsCOVID-19 Vaccination RequirementCVS Health requires certain colleagues to be fully vaccinated against COVID-19 (including any booster shots if required), where allowable under the law, unless they are approved for a reasonable accommodation based on disability, medical condition, religious belief, or other legally recognized reasons that prevents them from being vaccinated. You are required to have received at least one COVID-19 shot prior to your first day of employment and to provide proof of your vaccination status or apply for a reasonable accommodation within the first 10 days of your employment. Please note that in some states and roles, you may be required to provide proof of full vaccination or an approved reasonable accommodation before you can begin to actively work.Preferred Qualifications- Certification(s) held include one or more of the following: GWAPT, GPEN, GXPN, OSWE, OSCP, or OSCE.- 2+ years providing technical penetration testing advice and feedback to other less experienced penetration testers. - 2+ years of experience using AttackForge.- 3+ years of professional application development experience.- Familiarity with the Secure SDLC- Understanding of web technologies and programming languages such as , Java, and JavaScript.- Experience with Burp Suite and one or more security testing products.- Understanding of the entire taxonomy of web application security vulnerabilities, and experience with exploitation of web application vulnerabilities.- Demonstrated experience executing on a task while also improving the process for executing that task.- Background demonstrates an evolving information technology skillset with an interest in penetration testing and information security.- Understanding of and experience with many types of vulnerabilities such as those in Industrial Control Systems (ICS) and Internet of Things (IoT).- Firmware assessment/hacking/testing experience is a plus.- Participation in Capture the Flags (CTFs) and/or Bug Bounties.- Participation in open source projects as well as publication of Common Vulnerabilities and Exposures (CVEs), security advisories, and exploits (Custom testing tools or scripts receives special consideration.)- Proven experience driving implementation of a tool or process.- Experience working with teams in large complex environments.- Willing to change, willing to be flexible, and ready to adapt (new roles, responsibilities, methodologies, procedures, etc.) as needed given the dynamic state of information/application security.EducationBachelor's Degree or equivalent experience.Business OverviewBring your heart to CVS HealthEvery one of us at CVS Health shares a single, clear purpose: Bringing our heart to every moment of your health. This purpose guides our commitment to deliver enhanced human-centric health care for a rapidly changing world. Anchored in our brand - with heart at its center - our purpose sends a personal message that how we deliver our services is just as important as what we deliver.Our Heart At Work Behaviors support this purpose. We want everyone who works at CVS Health to feel empowered by the role they play in transforming our culture and accelerating our ability to innovate and deliver solutions to make health care more personal, convenient and affordable. We strive to promote and sustain a culture of diversity, inclusion and belonging every day. CVS Health is an affirmative action employer, and is an equal opportunity employer, as are the physician-owned businesses for which CVS Health provides management services. We do not discriminate in recruiting, hiring, promotion, or any other personnel action based on race, ethnicity, color, national origin, sex/gender, sexual orientation, gender identity or expression, religion, age, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.

Created: 2025-11-15