Information Security Analyst l (PenTester)

Description

• Technical Security Assessment Support

• Assist senior engineers in conducting penetration tests across web applications, APIs, and network infrastructure by performing assigned test cases and documenting findings.
• Support vulnerability assessments using automated scanning tools (e.g., Nmap, vulnerability scanners) under supervision, and help verify results through basic manual checks.
• Participate in Red Team exercises as a supporting team member, learning adversary simulation methodologies and assisting in pre-agreed test scenarios.
• Help execute controlled offensive testing tasks (e.g., running scripts, setting up test environments, assisting with phishing simulations) as directed by senior staff.
• Assist in identifying, documenting, and tracking vulnerabilities throughout the assessment lifecycle.
• Support the development and maintenance of basic scripts and testing utilities to assist in offensive security activities.

2.Risk Documentation & Reporting

• Assist in analyzing and documenting assessment findings, including reproduction steps, evidence, and initial severity observations for review by senior engineers.
• Support the preparation of penetration test reports by compiling findings, screenshots, and tool outputs into structured report templates.
• Help track the status of identified vulnerabilities and remediation progress, maintaining accurate records in relevant tracking systems.
• Assist in validating patched vulnerabilities by re-testing affected systems following confirmed remediation, under senior guidance.

• Collaboration & Program Support

• Participate in Purple Team exercises as an observer and support role, gaining exposure to detection logic and incident response workflows.
• Provide basic log collection and organizational support to the incident response team during active security incidents, as directed.
• Assist in maintaining up-to-date documentation on offensive security tools, tactics, and methodologies used by the team.
• Support compliance testing efforts by executing pre-defined test cases to validate controls required by regulations (e.g., SAMA CSF, PCI-DSS).
• Actively engage in self-directed learning of offensive security TTPs, emerging vulnerabilities, and attack vectors to build technical depth.
• Assist in validating patched vulnerabilities by re-testing affected systems following confirmed remediation, under senior guidance.

3. Collaboration & Program Support

• Participate in Purple Team exercises as an observer and support role, gaining exposure to detection logic and incident response workflows.
• Provide basic log collection and organizational support to the incident response team during active security incidents, as directed.
• Assist in maintaining up-to-date documentation on offensive security tools, tactics, and methodologies used by the team.
• Support compliance testing efforts by executing pre-defined test cases to validate controls required by regulations (e.g., SAMA CSF, PCI-DSS).
• Actively engage in self-directed learning of offensive security TTPs, emerging vulnerabilities, and attack vectors to build technical depth.
• Assist in preparing technical examples and real-world findings for contribution to the security awareness program

Skills, Knowledge & Expertise

• Bachelor's degree in Information Technology, Computer Science, Software Engineering, Cybersecurity, or a related field.
• Basic understanding of common vulnerabilities and attack concepts (OWASP Top 10, CVEs, common misconfigurations).
• Foundational knowledge of networking protocols (TCP/IP, DNS, HTTP/S, FTP, SMB) and how they can be abused.
• Exposure to at least one security tool in any of the following categories: port scanners (Nmap), web proxies (Burp Suite Community), or vulnerability scanners.
• Basic proficiency in at least one scripting or programming language (Python, Bash, or PowerShell) for task automation.
• Fundamental understanding of operating system internals for both Windows and Linux environments.
• Awareness of the MITRE ATT&CK framework and how it maps adversary behaviors.
• Familiarity with cloud concepts (any provider — GCP, AWS, or Azure) is an advantage