Penetration Tester/Red Teamer

You’ll be a core team member with your workload split between CounterSOC (our continuous penetration testing service) and Snapshot (our take on traditional testing). 

‍

Trethtec is a startup so it's all hands to the pumps at the moment, you’ll be brought on primarily for delivery and expected to deliver quality pentests from day 1. Backup and sanity checking is available, but you should already be a confident independent tester with ideas of your own.

‍

Documentation, building scripts and services, writing reports and advisories, all the other trimmings that you would expect are also a feature of the role. 

‍

The services are heavily consultative and collaborative, so you can expect lots of Teams calls and touch with the clients.

‍

This is not a high-volume testing gig, nor is it a pure red team. Engagements are geared towards giving the client confidence that they can detect and respond to a real attack.

‍

Looking for unicorns

‍

Trethtec is looking to hire consultants with both excellent technical skills and soft skills. We need people with a client focused mindset, you’ll be comfortable on calls with technical and non-technical clients and discussing different approaches to deliver the best possible engagements.

‍

Fundamentally this is a pentesting role and you will use all the same skills you’ve been honing in your time as a tester or red teamer. However, the focus may be slightly different to what you’re used to. We’re looking for testers with a highly adversarial mindset who are able to creatively apply their skills to achieve the maximum impact. 

‍

The number one technical skill we need is the ability to learn stuff rapidly. Never done phishing before? OK – have a week, go forth, learn and document.

‍

Skills we’re looking for. You do not need all of these, but we do expect you to be able to pick them up, skills marked with a (*) are mandatory :

• Infrastructure testing (external and internal).*

• Web and API testing.*

• Personable - we’re not looking for a silver tongue or full on extroversion, but a certain amount of people skills will really help, you’re a consultant after all.*

• Language skills - excellent spoken  and written English language skills are a must.*

‍

• Evasion and bypass - sneaking past AV, IPS and EDR is a super important part of the skillset and will be something you’ll need to look into if you aren’t already a pro.

• C2 Operation - while we’re not a pure red team, we heavily leverage a lot of red team TTPs.

• OSINT - at Trethtec, we work with the client to select the most impactful targets.

• Devops skills - you don’t need to be writing assembly in your sleep but some facility with code and deploying it to the cloud is going to be extremely handy even if it's just python or bash.

• Social engineering – ideally, you’re not afraid to pick up the phone, send a phish or blag your way airside at an international airport.

• AI - ideally, you’ll already be a seasoned user of LLMs as we make extensive use of them.

‍

Years of experience and background

‍

At this stage we’re not looking for people who are completely fresh to testing, however if you’re a fast mover, and you’ve been in the industry for a couple of years, we’d love to speak to you. People with many more years or who have experience in different disciplines, we want to speak to you too. Hardcore technical wizards are great, but if you’ve done some time in the SOC or GRC and have a charming client manner, we want to hear from you.

‍

Certifications

‍

Everyone has different backgrounds, if you have a degree - great, if you don’t have a degree, no worries. Certifications that inspire us with confidence are OSCP, OSEP, OSWE and CRTO. Maybe you’ve done a Sektor 7 course or done Maldev Academy - all good and valid. The course or the certification is only as important as your skillset. If you have no certifications, no worries - but you will need to showcase some skills. 

‍

Training

‍

We’ll pay for any courses or quals as is standard, if you can make a good business case for it, we’ll sign it off. We want to develop disciplines and skill sets rather than badge collecting. However if you have a specific course or interest you want to sink some time into we will absolutely support you, want to build out your CV and chase CREST quals? Knock yourself out, we’ll be happy to put you through those quals and back you up, but we won’t force you down a particular route either.

‍

We’re a massive fan of in person training and conferences, so will set aside a couple of weeks a year for you to develop your skills and stay on the cutting edge. There is no arbitrary training budget so let us know what you want to do, and we’ll take a look.

‍

Location

‍

This is a fully location independent role, there is no office. For the most part we work UK business hours with room for pragmatic flexibility. Wherever you are in the world, as long as you’re available, task in hand and have the internet connection to do the job then we’re happy. That said – we do occasionally go on site. As our clients are largely UK based, the ability to head on site now and again is expected but it is the exception not the rule.

‍

Hours

‍

Full time at 37.5 hours a week. 

‍

Remuneration

‍

£50k to £80k per annum subject to experience. We believe in transparency about pay so let us know what you need and we can have a grown-up conversation about it. It's still early days so benefits are limited, but those are coming down the pipe if you’re in it for the long haul.

‍