Do you enjoy attacking networks? Do you enjoy sifting through large amounts of attack surface, crafting novel attack chains to breach a client’s perimeter, gaining initial access, laterally moving, and demonstrating impact, all while evading security teams and their controls? As a penetration tester on the Global Services team at Rapid7, you will help our clients improve their security posture through your technical skills and knowledge of both offensive and defense strategies.
About the Team
Vector Command is an always-on Red Team operation supporting multiple customers. As part of a specialized team, you will emulate real adversaries by performing large-scale reconnaissance, identifying exposed or high-value assets, and discovering weaknesses that can be leveraged for compromise. After gaining access, the team continues with post-compromise objectives to demonstrate real impact, evade detection, and assess the effectiveness of security controls. This service evaluates far more than vulnerabilities—it tests the customer’s entire security posture and defense-in-depth strategy.
In addition to offensive operations, you will support customers through external attack surface analysis, exposure reconnaissance, integration of accounts and tools, preparation of monthly Red Team reports, and prioritization of customer requests. Daily collaboration with Vector Command operators is essential, as is maintaining awareness of new vulnerabilities, shifts in customer attack surfaces, and changes across customer environments.
About the Role
Your primary responsibility is to deliver Rapid7’s Vector Command Continuous Red Teaming service. In this role, you will design social engineering campaigns which function at scale, supporting numerous customers each month, emulating modern adversary TTPs. These campaigns focus on initial access, not click rates, and are often combined with external vulnerabilities or misconfigurations to demonstrate real-world impact. Specifically, your focus will be to:
Deploy, configure, and maintain social engineering infrastructure to perform phishing operations at scale.
Perform manual and automated reconnaissance at scale to identify targets for social engineering operations each month.
Leverage external network vulnerabilities reported by Vector Command team members in targeted real-world social engineering attacks (incorporate subdomain takeovers, cross-site scripting, etc. into campaigns).
Research the latest techniques in social engineering and implement them in monthly campaigns.
Research and test methods to bypass social engineering defenses such as email filters, download restrictions, multi-factor authentication mechanisms, etc. Be an expert in sending phishing emails which make it to the client’s inbox.
Design and execute vishing campaigns.
Incorporate payloads provided by the Red Team lead into phishing and vishing operations.
Upon successful credential breach or payload execution, evaluate the impact and coordinate with Vector Command team members for post-compromise breach simulation.
Collaborate closely with a team of Red Team operators, participating in daily meetings to establish attack objectives and operational direction.
Develop and maintain positive relationships with clients and understand their business and needs.
Create additional value for clients through continual insights and consultative advice based on experience with the client, their industry, established standards and leading practices
The skills and qualities you’ll bring include:
5+ years in an active technical security role
Strong knowledge of the following:
Advanced Social engineering techniques and tactics
Infrastructure management and deployment (domain records, web servers, terraform, ansible, phishing website creation).
Modern penetration testing tools and methods
Network, wireless and web application security concepts
Experience using interpreted languages (Ruby, Python, PHP, etc.)
Knowledge of common regulatory structures and obligations and common I.T. governance.
Bug Bounty experience, identifying novel vulnerabilities in arbitrary internet-facing attack surfaces
Certifications such as OSCP, OSCE, GXPN, OSEE, CREST
Experience with Red & Purple Teams
Excellent communication skills both with internal and external stakeholders
Collaborative mindset, contributing to knowledge sharing and cross training
Demonstrate a commitment to the "end-to-end" testing process, from the initial pre-engagement planning to providing accountable support during the final remediation phase.
Core Value Embodiment: Embody our core values to foster a culture of excellence that drives meaningful impact and collective success.
We know that the best ideas and solutions come from multi-dimensional teams. That’s because these teams reflect a variety of backgrounds and professional experiences. If you are excited about this role and feel your experience can make an impact, please don’t be shy - apply today.
#LI-PB1
Applications processed via employer's online application form
