Back to jobs

Senior Penetration Tester

Sofia City, Bulgaria

Sofia Stars is a fast-growing global service provider that guides high-growth businesses to success. Our range of tailored solutions includes R&D, Customer Support, Sales, KYC, Risk, and Anti-Fraud services. We make every connection shine with fresh tech and cultural understanding.

We invite a Senior Penetration Tester to join our team. 

Main Responsibilities: 
✔️ Lead end-to-end penetration testing engagements across web applications, APIs, mobile, internal and external networks and cloud (primarily AWS).
✔️ Run red-team and assumed-breach operations - initial access, privilege escalation, lateral movement, persistence, exfiltration - including against fraud and detection stacks.  ✔️ Perform security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices.
✔️ Discover and exploit vulnerabilities across real-money flows - payments, deposits and withdrawals, wallets, KYC / AML, bonus systems, and affiliate tracking.
✔️ Partner with product, engineering, AppSec, payments, and fraud teams to translate findings into concrete fixes and durable controls.
✔️ Develop custom tooling, scripts, and methodology where no out-of-the-box approach exists.
✔️ Build and validate declarative threat models and contribute to "secure by design" practice.
✔️ Mentor mid and junior testers, review their engagement plans and reports.
✔️ Track new CVEs, TTPs, MITRE ATT&CK updates, and regulator advisories - translate them into concrete changes here.
✔️ Support pre-sales scoping, effort estimation, and pre-certification engagements for new products and jurisdictions.
✔️ Serve as a trusted offensive-security advisor to product, engineering, and compliance teams. 

Role Requirements:
✔️ Minimum 4 years of hands-on penetration testing or offensive-security experience.
✔️ Proven track record across at least three of: web / API, internal, external network, cloud (AWS / GCP), mobile (iOS / Android).
✔️ OSCP or an equivalent in-the-box certification.
✔️ Strong working knowledge of SAST/SCA/DAST tooling, AWS/GCP, MITRE ATT&CK, OWASP ASVS / WSTG, PTES.
✔️ Understanding of the data flow, MVC model.
✔️ Understanding of supply chain attacks.
✔️ Good reporting skills.
✔️ Comfortable scripting in Python plus Bash.
✔️ Knowledge at least one of major cloud provider's IAM model.
✔️ Experience pentesting cloud-native systems and Kubernetes environments, plus the CI/CD pipelines around them (GitLab, GitHub Actions, Jenkins) and IaC (Terraform, Helm, CloudFormation).
✔️ Strong written and verbal communication in English.
✔️ Experience balancing security and business demands under release pressure.
✔️ Familiarity with industry regulations, frameworks, and practices: PCI DSS, ISO 27001, NIST, GDPR

PREFERRED QUALIFICATIONS: 
✔️ One of offensive-security certifications: OSWE, OSEP, OSED, CRTO, BSCP, ARTE, GRTE.
✔️ In-depth experience architecting secure services on Kubernetes and AWS.
✔️ Prior iGaming, fintech, or payments domain experience.
✔️ Public CVEs, advisories, write-ups, conference talks.
✔️ HTB Pro Lab completions, real CTF placements.
✔️ Open-source contributions to offensive or defensive tooling. 

Our Excellent Benefits:

  • Up to 25 vacation days
  • 6 undocumented sick leaves
  • Medical insurance and dental coverage
  • Sport card 70% coverage (Multisport and/or CoolFit)
  • Food vouchers (102 EUR)
  • Appreciation gifts (birthday, wedding, newborn, etc.)
  • Office massages
  • Breakfast, lunch & snacks in the office
  • Education budget 
  • Monthly team events
  • Great office location

Working Model:

 

Grow fast, shine globally!

By submitting your application, you agree to our Privacy Policy.

Create a Job Alert

Interested in building your career at Sofia Stars? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Phone
Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf


Select...
Select...
Select...
Select...
Select...
Select...