Senior Penetration Tester

Job Description

Overview

CoStar Group (NASDAQ: CSGP) is a leading global provider of commercial and residential real estate information analytics and online in the S&P 500 Index and the NASDAQ 100 CoStar Group is on a mission to digitize the worlds real estate empowering all people to discover properties insights and connections that improve their businesses and lives.

We have been living and breathing the world of real estate information and online marketplaces for over 35 years. This extensive experience gives us the perspective to create truly unique and valuable offerings to our continually refined transformed and perfected our approach to our business. Creating a language that has become standard in our industry for our customers and even our continue that effort today and are always working to improve and drive is how we deliver for our customers our employees and equipping the brightest minds with the best resources available we provide an invaluable edge in real estate.

Evolve our security pentesting capabilities to test our internal and external facing processes infrastructure and applications. This position will be tasked with developing test plans to validate identified vulnerabilities and demonstrate the exploitation of the vulnerabilities. The ability to explain the exploit to senior level management is key to success in this current with trends techniques and tools used by adversaries.

This position is located in Arlington VA and is in office Monday through Thursday with work from home on Friday.

Responsibilities

• Lead penetration tests on web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques.
• Develop test plans that validate identified vulnerabilities and demonstrate exploitability to engineering teams security peers and senior leadership.
• Collaborate with detection engineering and incident response on purple team exercises validating that preventative and detective controls behave as expected against realistic adversary techniques.
• Grow the teams pentesting capabilities in infrastructure and cloud-native domains including CI/CD pipelines Active Directory AWS and Kubernetes.
• Recommend remediations that address root causes including code changes architectural improvements and control adjustments.
• Stay current with attacker tradecraft. Share knowledge with the broader security team and mentor engineers on offensive techniques and how to think like an attacker.

Basic Qualifications

• Bachelors Degree required from an accredited not for profit in person university or college (preferably in Computer Science Cybersecurity or related field).
• A track record of commitment to prior employers.
• 6 years of total experience in a technical role such as security software development or systems engineering with at least 3 years focused on penetration testing or offensive security.
• Demonstrated experience with web application and API penetration testing including identifying and exploiting attack chains across complex application logic authentication and authorization flows.
• Experience writing reports that clearly demonstrate vulnerability risk business impact and remediation paths to developers and senior leadership.
• Ability to perform secure code review and identify vulnerabilities in source code including authentication authorization injection and business logic flaws.
• Scripting and programming proficiency in Python PowerShell or similar with the ability to read and understand application code in languages like C# Java JavaScript or Go.
• Understanding of defense-in-depth principles and ability to recommend layered mitigations beyond fixing individual findings.
• Security certifications such as OSCP OSWE OSEP GPEN GXPN or similar.

Preferred Qualifications and Skills

• In-depth experience with offensive security tools such as Burp Suite OWASP ZAP Nmap Bloodhound and Metasploit.
• Familiarity with Active Directory exploitation tools and techniques.
• Familiarity with C2 frameworks such as Cobalt Strike Sliver or Mythic.
• Experience planning and executing red team and purple team scenarios.
• Experience with adversary emulation methodologies and frameworks (MITRE ATT&CK).
• Experience testing modern applications in cloud-native tech stacks.
• Experience with mobile application penetration testing.
• Familiarity with AI and LLM security testing including prompt injection indirect prompt injection agentic system risks and MCP server assessment.
• Hands-on experience implementing security tools into CI/CD pipelines.
• Working knowledge of network system and database administration concepts as they relate to attack surface analysis.
• Strong communication skills with both technical teams and senior leadership particularly translating technical exploits into business risk.
• Experience coordinating with application teams to drive security by design principles.
• Ability to mentor and train team members on offensive techniques and risk prioritization.
• A self-starter who follows ideas through to completion and drives offensive security work forward independently.

Whats in it for You

When you join CoStar Group youll experience a collaborative and innovative culture working alongside the best and brightest to empower our people and customers to succeed.

We offer you generous compensation and performance-based incentives. CoStar Group also invests in your professional and academic growth with internal training and tuition reimbursement.

Our benefits package includes (but is not limited to):

• Comprehensive healthcare coverage: Medical / Vision / Dental / Prescription Drug
• Life legal and supplementary insurance
• Virtual and in person mental health counseling services for individuals and family
• Commuter and parking benefits
• 401(K) retirement plan with matching contributions
• Employee stock purchase plan
• Paid time off
• Tuition reimbursement
• On-site fitness center and/or reimbursed fitness center membership costs (location dependent) with yoga studio Pelotons personal training group exercise classes
• Access to CoStar Groups Employee Resource Groups
• Complimentary gourmet coffee tea hot chocolate fresh fruit and other healthy snacks

We welcome all qualified candidates who are currently eligible to work full-time in the United States to please note that CoStar Group cannot provide visa sponsorship for this position.

#LI-KW1

CoStar Group is an Equal Employment Opportunity Employer; we maintain a drug-free workplace and perform pre-employment substance abuse testing