Internal Cybersecurity Penetration Tester

Job Description

The Information Security & BCM division, led by the Group Chief Information Security Officer (CISO) and part of the Chief Operating Officer (COO) organization, defines, leads, and coordinates information security efforts within EFG International and its global units. We are seeking a Cybersecurity Internal Penetration Tester to support the ICT risk management framework and ensure compliance with regulatory requirements (FINMA, DORA, and relevant financial sector regulations).

Tasks

The successful candidate will be responsible for conducting ongoing, internal offensive security assessments of the bank’s infrastructure, applications, and controls. Key responsibilities include:

• Planning, scope, and execution of internal penetration tests on core banking platforms and business applications, with a strong focus on services that support critical and key functions
• Development of test scenarios based on realistic banking threat models (fraud, data exfiltration, privilege escalation, lateral movement to critical systems, etc.)
• Conducting hands-on tests on internal networks, servers, endpoints, web applications, APIs, cloud workstations, Active Directory, and other core infrastructure systems
• Documentation of results in clear, risk-based reports that include evidence and actionable recommendations for both technical and non-technical audiences
• Work closely with infrastructure, development, DevOps, and risk teams to support recovery plans and post-incident testing, and ensure that critical findings are tracked and resolved as part of CIRT and governance processes
• Development and maintenance of internal testing methods, playbooks, and tools to support responsive and effective evaluations
• Collaborate with SOC or threat intelligence teams to improve threat detection and response
• Stay up to date on new threats, vulnerabilities, TTPs, etc., and incorporate them into internal testing

Requirements

The ideal candidate will have:

• A background in cybersecurity, computer science, or a related field
• 3–5 years of hands-on experience in penetration testing or red teaming, with a proven track record of working on internal networks, web applications, and APIs; a background in offensive security disciplines is a strong plus
• A solid understanding of network protocols, operating systems (Windows, Linux), web and cloud technologies; familiarity with core banking architectures is a plus
• Knowledge of common offensive tools and techniques (e.g., Burp Suite, Metasploit, Cobalt Strike-like frameworks, Kali-based tools) and the ability to perform manual testing beyond the scope of these tools
• Solid understanding of secure coding practices and common application vulnerabilities (e.g., OWASP Top 10) to assess web and API targets
• Professional certifications such as OSCP, GXPN, or similar offensive security certifications in good standing
• Strong communication skills and the ability to explain complex technical findings to both technical and non-technical audiences

We offer

A supportive