Senior Penetration Tester

Sofia Stars is a fast-growing global service provider that guides high-growth businesses to success. Our range of tailored solutions includes R&D, Customer Support, Sales, KYC, Risk, and Anti-Fraud services. We make every connection shine with fresh tech and cultural understanding. We invite a Senior Penetration Tester to join our team.

It's an office-based role – no remote or hybrid options.

✅ Responsibilities: ✔️ Lead end-to-end penetration testing engagements across web applications, APIs, mobile, internal and external networks and cloud (primarily AWS). ✔️ Run red-team and assumed-breach operations - initial access, privilege escalation, lateral movement, persistence, exfiltration - including against fraud and detection stacks. ✔️ Perform security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices. ✔️ Discover and exploit vulnerabilities across real-money flows - payments, deposits and withdrawals, wallets, KYC / AML, bonus systems, and affiliate tracking. ✔️ Partner with product, engineering, AppSec, payments, and fraud teams to translate findings into concrete fixes and durable controls. ✔️ Develop custom tooling, scripts, and methodology where no out-of-the-box approach exists. ✔️ Build and validate declarative threat models and contribute to "secure by design" practice. ✔️ Mentor mid and junior testers, review their engagement plans and reports. ✔️ Track new CVEs, TTPs, MITRE ATT&CK updates, and regulator advisories - translate them into concrete changes here. ✔️ Support pre-sales scoping, effort estimation, and pre-certification engagements for new products and jurisdictions. ✔️ Serve as a trusted offensive-security advisor to product, engineering, and compliance teams.

✅ Requirements: ✔️ Minimum 4 years of hands-on penetration testing or offensive-security experience. ✔️ Proven track record across at least three of: web / API, internal, external network, cloud (AWS / GCP), mobile (iOS / Android). ✔️ OSCP or an equivalent in-the-box certification. ✔️ Strong working knowledge of SAST/SCA/DAST tooling, AWS/GCP, MITRE ATT&CK, OWASP ASVS / WSTG, PTES. ✔️ Understanding of the data flow, MVC model. ✔️ Understanding of supply chain attacks. ✔️ Good reporting skills. ✔️ Comfortable scripting in Python plus Bash. ✔️ Knowledge at least one of major cloud provider's IAM model. ✔️ Experience pentesting cloud-native systems and Kubernetes environments, plus the CI/CD pipelines around them (GitLab, GitHub Actions, Jenkins) and IaC (Terraform, Helm, CloudFormation). ✔️ Strong written and verbal communication in English. ✔️ Experience balancing security and business demands under release pressure. ✔️ Familiarity with industry regulations, frameworks, and practices: PCI DSS, ISO 27001, NIST, GDPR.

✅ PREFERRED QUALIFICATIONS: ✔️ One of offensive-security certifications: OSWE, OSEP, OSED, CRTO, BSCP, ARTE, GRTE. ✔️ In-depth experience architecting secure services on Kubernetes and AWS. ✔️ Prior iGaming, fintech, or payments domain experience. ✔️ Public CVEs, advisories, write-ups, conference talks. ✔️ HTB Pro Lab completions, real CTF placements. ✔️ Open-source contributions to offensive or defensive tooling.

✅ We offer excellent benefits, including but not limited to: 🏖️ Up to 25 vacation days; 🤒 6 Undocumented Sick Leave Days; 💷 Monthly food vouchers (102 EUR); 🏥 Private Medical Insurance; 🏋🏼 Multisport Card; 🎁 Birthday, Wedding and Newborn gifts; 🍔 Breakfast, Friday lunches, fruits, and snacks in the office; 🎭 Monthly company activities and team-building events; 🚀 Career growth opportunities.