Senior Penetration Engineer - Red Team

HC2: Red Team Penetration Testing Senior Engineer (Start in April Required) Job Description Responsibilities: 1. Security Testing a. Security offense and defense, establish a security offense and defense system, define offense and defense methods, scope, cycle, etc., establish a dual verification mechanism for internal offense and defense testing and external offense and defense validation, follow up on the implementation of offense and defense results, defects, and vulnerability improvements, and create process documentation and result reports; b. Vulnerability scanning/penetration testing, follow up on internal periodic and on-demand vulnerability scanning and penetration testing plans, conduct vulnerability scanning and penetration testing on networks, applications, data, office environments, etc., identify weaknesses and vulnerabilities, follow up on the corresponding unit's vulnerability remediation, and create process documentation and result reports; c. Social engineering, plan and execute social engineering penetration testing drills and attacks through various channels such as email, SMS, WhatsApp, offline, etc., to test and validate security awareness and personnel security levels; d. Vulnerability program, establish and follow up on external vulnerability reward programs as needed, based on significant version changes or new product launches, leverage external resources to discover weaknesses and follow up on vulnerability remediation, and create process documentation and result reports; 2. Security Incident Response & Analysis & Sharing a. Regularly summarize and analyze major internal security incidents, announcements, and follow up on the implementation of measures (if any); b. Regularly analyze and share external security incidents, learn and practice. Requirements: 1. Full-time undergraduate degree from a recognized institution, with over 3 years of penetration testing or vulnerability discovery experience, and good communication skills; 2. Proficient in various penetration testing tools with an in-depth understanding of their principles (not limited to Burpsuite, MSF, CobaltStrike, etc. for internal network penetration and privilege escalation tools); 3. Familiar with penetration testing (OWASP top 10 vulnerabilities), common components (big data components, middleware, Zabbix, Elasticsearch, etc.), and other publicly known application vulnerabilities; 4. Proficient in at least one programming language, with no restrictions on the operating language; C/C++, Golang, Python, Java are all acceptable; 5. Understanding of the Web3 industry, familiarity with Solidity language, and knowledge of common vulnerabilities in smart contract testing and validation; 6. Ability to think about offense and defense issues from the perspective of a defender or operations personnel, with a deeper understanding of post-exploitation being a plus. Preferred Qualifications: 1. Experience in penetrating financial or online transaction systems (Web and App targets); 2. Familiarity with or experience in Web3 Smart Contract penetration testing; 3. Experience in CTF competitions or network offense and defense competitions, with good rankings preferred; 4. Published high-quality technical articles on well-known information security sites.