Senior Penetration Tester
Description
About Us:
At Sitecore, our mission is to simplify how brands reach, engage, and serve people by delivering intelligent, personalized digital experiences that connect the world. We empower the world’s most iconic brands to build lifelong relationships with their customers—seamlessly, smartly, and at scale.
As the leading provider of agentic digital experience software, Sitecore brings together content, commerce, and data into one composable platform that enables brands to deliver millions of meaningful, adaptive experiences every day. Trusted by global leaders such as American Express, Porsche, Starbucks, and L’Oréal, Sitecore helps brands transform engagement through experiences that are not only personalized but predictive and dynamic.
Our foundation is our people—a diverse, passionate, and collaborative global team spanning over 25 countries. We believe that every experience matters, and that belief starts with how we work together. Our values guide how we lead, innovate, and connect. They are the behaviors that bring our mission and vision to life, every day, in every interaction.
As we continue to evolve, we are actively cultivating AI skills across our teams to unlock new levels of creativity, efficiency, and insight. From engineering to customer experience, AI capabilities are becoming integral to how we design, build, and deliver the next generation of digital experiences.
Learn more at Sitecore.com.
About the Role:
As a Senior Penetration Tester (Web/API & Agentic/MCP), you will conduct authorized penetration testing across Sitecore’s SaaS platforms, APIs, and AI/agent‑driven services to identify and eliminate exploitable weaknesses prior to release. You will also act as a trusted security partner to engineering teams, advising on secure design, testing decisions, and risk remediation.
What You’ll Do:
- Perform authorized web application and API penetration testing on Sitecore products, focusing on auth/authz, business‑logic abuse, IDOR/BOLA, SSRF, XSS and other injection flaws and multi‑tenant isolation failures common in SaaS platforms
- Conduct deep API security testing across REST/GraphQL, including OAuth 2.0 / OIDC flows, JWT handling, audience/scope validation, and permission‑model abuse
- Execute agentic / MCP penetration testing, including tool‑abuse scenarios, prompt‑to‑action exploit chains, cross‑tool data exfiltration paths, and validation of agent workflows invoking internal services
- Use Burp Suite as the primary manual testing tool for custom attack flows, protocol‑level manipulation, and WAF bypass where applicable
- Apply white‑box or hybrid testing when needed by reviewing mainly C# / ASP.NET Core source code to identify untrusted data flows (sources → sinks) and then dynamically confirm exploitability through real request execution
- Test cloud-native attack paths in containers / Pods / Kubernetes, including container escape / “escape to host” and cluster misconfiguration exploitation where relevant
- Produce clear, actionable reports with PoCs, reproducible steps, impact assessment, and concrete remediation guidance, and support teams through fix validation and retesting
What You Need to Succeed:
- 3+ years of hands‑on penetration testing experience focused on web applications and APIs (not general security testing)
- One or more offensive security certifications (e.g., e.g., OSCP, OSWE, CWEE, GWEB, GWAPT or equivalent) demonstrating practical exploitation skills
- Strong proficiency with Burp Suite and modern web/API exploitation techniques
- Ability to clearly communicate findings and coach engineering teams on secure fixes and prevention
- Strong analytical mindset and ability to reason about realistic attack paths in cloud‑native, multi‑tenant systems
Additional Skills That Could Set You Apart:
- Demonstrated offensive track record (bug bounties, CVEs, published research/tools, or strong lab performance such as PortSwigger/HTB)
- Scripting or coding skills for PoCs and automation (Python, C#, PowerShell, JavaScript)
- Experience translating threat models into concrete abuse/attack scenarios and using them to uncover security gaps across components, data flows, and trust boundaries
- Familiarity with CI/CD and engineering workflows (e.g., Azure DevOps) and Secure SDLC practices
Why Sitecore?
At Sitecore, we offer a vibrant work culture, a collaborative environment, and the opportunity to work on products that shape digital experiences globally. We’re dedicated to fostering growth, innovation, and a commitment to our employees’ professional and personal development. Be part of a visionary, innovation-driven team shaping the next era of AI-powered content management in a leading composable DXP.
Sitecore is proud to be an equal opportunity workplace. We are committed to equal employment opportunity without unlawful regard to race, color, ancestry, religion, gender, national origin, sexual orientation, age, citizenship, marital status, disability, veteran status or any other local legally protected characteristic.