OVERVIEW: Are you looking for an ambitious new work environment to test & enhance your skills? Have you ever wanted to work for a company where you felt like part of a family? Wouldn’t it be great if your achievements were recognized personally by one of the owners of the company? Imagine how much you could grow if the company you worked for had in-house mentors who really cared about your goals. When you join the phia Phamily, this is what you’ll encounter!
phia, LLC is hiring a skilled full time W2 and 1099 Red Teamers/Penetration Testers to join our team of qualified, diverse individuals in support of the Department of Homeland Security's (DHS) National Cybersecurity Assessments and Technical Services (NCATS) program providing vulnerability assessments, development of assessment methodologies, and technical program advisement.
Join our team and take advantage of a unique opportunity to conduct assessments across the federal government, state and local governments, as well as, critical infrastructure and private companies. The assessment length can vary, based on the number and type of services requested, but a typical assessment will take place over a two-week period. The first week being conducted in a lab based in Northern Virginia, and the second week at the customer's location, internal to their network.
- Conduct vulnerability/pentesting assessments using approved tools and following an approved methodology, scope, and rules of engagement.
- Identify security vulnerabilities that could allow an attacker to compromise client information or systems.
- Perform assessments of systems and networks within the enterprise and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy.
- Measure effectiveness of defense-in-depth architecture against known vulnerabilities and attack techniques.
- Conduct and/or support authorized penetration testing on enterprise network assets with a focus on application security.
- Define procedures for penetration testing assessment for servers, endpoints, network appliances, and applications.
- Perform application security assessments of key business services and provide written reports on the security posture of those systems.
- Collaborate with DHS and assessed organizations to identify and defend against common attack vectors.
- Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions.
- Advise government and assessed organization’s leadership on Plans of Action and Milestones (POA&Ms) for vulnerability remediation.
- 3-5 years of experience in diverse experience in cyber security vulnerability assessments with a focus on application security assessments, or equivalent combination of education and work experience.
- Ethical hacking experience including experience in Information Security, application vulnerability testing, code-level security auditing, and secure code reviews.
- Demonstrate leadership ability.
- Working knowledge of various operating systems, tools, and scripting languages such as: *NIX, Windows, Kali Linux, Cobalt Strike, Metasploit, Nmap, Nessus, EyeWitness, WireShark, Powershell, Python, etc.
- Bachelor’s Degree in a technical specialty such as cyber security, computer science, management information systems or related IT field - relevant work and educational experience may be substituted for degree.
- Certifications: (One or more required) OSCE, OSCP, GPEN or equivalent Red Team certs
- CISSP and CEH are a bonus, but not required
DESIRED KNOWLEDGE, SKILLS AND ABILITIES:
- Colbalt Strike, Immunity Canvas, Core Impact and similar GOTS/COTS platform
- system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
- laws, regulations, policies, and ethics as they relate to penetration testing.
- ethical hacking principles and techniques.
- risk management processes (e.g., methods for assessing and mitigating risk).
- Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
- different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
- cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
- cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
- network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
- network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
- programming language structures and logic.
- conducting application vulnerability assessments.
- mimicking threat behaviors.
- the use of penetration testing tools and techniques.
- the use of social engineering techniques. (e.g., phishing, baiting, tailgating, etc.).
- using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.).
- performing impact/risk assessments.
- develop insights about the context of an organization’s threat environment.
- identify systemic security issues based on the analysis of vulnerability and configuration data.
- apply programming language structures (e.g., source code review) and logic.
- share meaningful insights about the context of an organization’s threat environment that improve its risk management posture.
- develop or modify exploits based on vulnerability reports
WORK SCHEDULE: Typically Core hours
TRAVEL: Up to 50%; one week from local lab environment within Northern Virginia and one week at assessment organization onsite (typically CONUS)
TELEWORK ELIGIBILITY: N/A
SECURITY REQUIREMENTS: Secret+ and DHS EOD eligible
phia, LLC is a Northern Virginia based, 8a certified small business that was established in 2011. We focus on the full spectrum of disciplines within the cyber, intelligence, and technology arenas.
We support mission-critical teams within various agencies and offices within the Federal government, including Civilian, Defense, Law Enforcement and Intel. We like to describe phia as truly by technical people and for technical people. phia’s founders wanted to create an employee-centered culture, where we care about the people as much as the mission.
Our goal is to continue to hire talented and passionate team members, who desire to grow their skillsets as well as the reputation of the company with our partners, clients and stakeholders. With this goal in mind, we invite you to apply for positions, even if you don't meet the desired years of experience listed in our position descriptions. We are more interested in intellectually curious individuals with the ability to work autonomously and with teams. If your experience does not match our exact requirements of a position but you are otherwise an awesome candidate, we will work hard to find a position that suits you.
Our company culture is unique; we consider everyone on the team a part of the “phia phamily”. We make great efforts to foster cohesiveness through one-on-one interactions, professional mentoring, and group outings. In short, our leadership team is personally invested in each employee. phia offers a rewarding environment with talented & passionate people.
phia offers excellent benefits for full time W2 candidates to enhance the work-life balance, these include the following:
- Medical Insurance
- Dental Insurance
- Vision Insurance
- Life Insurance
- Short Term & Long-Term Disability
- 401k Retirement Savings Plan with Company Match
- Paid Holidays
- Paid Time Off (PTO)
- Tuition and Professional Development Assistance
- Flex Spending Accounts (FSA)
- Parking Reimbursement
- Monthly Payroll