Internal Cybersecurity Penetration Tester

Job Description

The Information Security & BCM division, led by the Group Chief Information Security Officer (CISO) and part of the Chief Operating Officer (COO) organization, defines, leads, and coordinates information security efforts within EFG International and its global units. We are seeking a Cybersecurity Internal Penetration Tester to support the ICT risk management framework and ensure compliance with regulatory requirements (FINMA, DORA, and relevant financial sector regulations).

Tasks

The successful candidate will be responsible for conducting ongoing, internal offensive security assessments of the bank’s infrastructure, applications, and controls. Key responsibilities include:

• Planning, scope, and execution of internal penetration tests on core banking platforms and business applications, with a strong focus on services that support critical and key functions
• Development of test scenarios based on realistic threat models for the banking sector (fraud, data exfiltration, privilege escalation, lateral movement to critical systems, etc.)
• Conducting hands-on tests on internal networks, servers, endpoints, web applications, APIs, cloud environments, Active Directory, and other core infrastructure systems
• Documentation of results in clear, risk-based reports that include evidence and actionable recommendations for both technical and non-technical audiences
• Work closely with infrastructure, development, DevOps, and risk teams to support remediation plans and retesting, ensuring that critical findings are tracked and resolved within the CISO and governance processes
• Development and maintenance of internal test methods, test cases, and tools to support repeatable and efficient evaluations
• Collaborate with the SOC or incident response team to identify and improve detection and response capabilities
• Stay up to date on new threats, vulnerabilities, TTPs, etc., and incorporate them into internal testing

Requirements

Requirements include:

• Background in cybersecurity, computer science, or related fields
• 3–5 years of hands-on experience in penetration testing or red teaming, with a proven track record of working on internal networks, web applications, and APIs; experience in offensive or defensive security is a strong plus
• Strong understanding of network protocols, operating systems (Windows, Linux), web and cloud technologies; familiarity with core banking architectures is a plus
• Proficiency with common offensive tools and techniques (e.g., Burp Suite, Metasploit, Cobalt Strike-like frameworks, Kali-based tools) and the ability to perform manual testing beyond the scope of these tools
• Solid knowledge of secure coding practices and common application vulnerabilities (e.g., OWASP Top 10) for assessing web and API targets
• Professional certifications such as OSCP, OSGP, or similar offensive security certifications in good standing
• Strong communication skills and the ability to explain complex technical findings