Senior Offensive Security Engineer, Penetration Testing

Procter & Gamble is a global company producing a portfolio of trusted brands including Always®, Ariel®, Gillette®, Head & Shoulders®, Herbal Essences®, Oral-B®, Pampers®, Pantene®, and Tampax®. The company operates in approximately 70 countries worldwide and focuses on developing business leaders in the industry.

• Bachelor’s degree or equivalent Polish higher education qualification in Information Security, Cybersecurity, Computer Science, or related field, OR 7+ years of relevant experience.
• 5+ years of experience in penetration testing, offensive security, adversary simulation, application security testing, or security research in complex environments.
• Demonstrated ability to lead complex penetration tests, manage ambiguity, make sound technical decisions, guide other testers, and serve as escalation point for high-risk findings.
• Deep experience identifying, exploiting, and chaining weaknesses across 3 or more domains such as web applications, APIs, mobile applications, cloud infrastructure, enterprise applications, databases, networks, servers, IoT devices, identity platforms, directory services, or AI-enabled systems.
• Strong ability to automate offensive security tasks and build tooling using languages such as Python, PowerShell, Go, C#, JavaScript, C/C++, Assembly, or similar.
• Advanced Linux command-line experience and strong familiarity with Windows, enterprise environments, and common administrative tooling.
• Hands-on experience with at least one major cloud provider such as GCP, AWS, or Azure, including attack paths, misconfigurations, identity models, and cloud-native services.
• Ability to read, understand, and reason about source code across multiple languages to identify security flaws and determine exploitability.
• Proven ability to test or bypass preventative and detective controls while operating safely within approved scope and rules of engagement.
• Experience creating automation, tools, or AI-enabled workflows adopted by others to improve offensive security effectiveness, efficiency, coverage, or quality.
• Familiarity with security risks in AI-enabled technologies, including prompt injection, insecure agent or tool execution, sensitive data exposure, model misuse, authorization bypass, and AI application abuse cases.
• Strong written and verbal communication skills with ability to brief technical teams, security teams, and leadership.

Nice to have:

• Offensive security certifications such as OSCP, OSWE, OSEP, OSCE, GXPN, GPEN, GWAPT, or similar.
• Public tools, modules, research, conference talks, blog posts, CVEs, open-source contributions, or other meaningful technical contributions.
• Experience developing AI-assisted security tools, agentic workflows, vulnerability triage systems, exploit helpers, report-generation pipelines, or other force-multiplying capabilities.
• Experience testing AI applications, LLM-based systems, AI agents, RAG systems, model integrations, and AI-enabled business workflows.
• Experience with mobile, IoT, embedded systems, firmware, reverse engineering, radio-frequency testing, or hardware exploitation.
• Experience with cloud and identity attack paths involving SSO, MFA, OAuth, service principals, IAM, secrets exposure, conditional access, PAM, or privilege escalation.
• Experience collaborating with DFIR, SOC, Detection Engineering, Application Security, Cloud Security, Product Security, and Vulnerability Management teams.
• Experience building penetration testing methodologies, reporting standards, reusable playbooks, tooling, metrics, remediation validation processes, or team knowledge bases.

• Lead complex, ambiguous, high-risk, or multi-domain penetration tests across applications, APIs, infrastructure, cloud, identity, networks, IoT, mobile, and enterprise environments.
• Partner with Intake Management and stakeholders to validate objectives, challenge technical assumptions, identify engagement risks, and shape the testing approach.
• Own technical execution strategy for complex engagements, including attack path development, safe exploitation, evidence standards, peer review, reporting quality, and remediation validation.
• Identify, exploit, and chain vulnerabilities across systems and domains to demonstrate realistic business impact and remediation priority.
• Design and execute control validation paths, including testing or bypassing preventative and detective controls, and document gaps to support remediation and defensive improvement.
• Serve as the technical escalation point for complex, novel, high-impact, or ambiguous findings from penetration tests, VDP, and Bug Bounty submissions.
• Review complex findings and reports from other testers to ensure technical accuracy, impact clarity, evidence quality, and remediation usefulness.
• Work with engineering, product, cloud, infrastructure, and security teams to translate findings into practical remediation and risk reduction.
• Partner with Cyber Defense Protect, Detect, and Respond teams to operationalize findings and improve defensive controls.
• Design, build, and govern internal tools, automation, and AI-assisted workflows to improve team scale, consistency, coverage, triage, exploitation support, reporting, and remediation validation.
• Lead security testing of AI-enabled applications, LLM systems, AI agents, RAG pipelines, model integrations, tool/plugin execution, and AI-specific abuse paths.
• Produce executive-ready risk narratives and high-quality technical reports tied to business impact, exploitability, and remediation priority.
• Mentor junior testers, provide peer review, and raise standards for methodology, exploit quality, documentation, safety, and communication.
• Drive team maturity through methodology standardization, reusable playbooks, technical review practices, tooling, metrics, knowledge sharing, and process improvement.

Employment is exclusively extended on the basis of an "Umowa o Pracę" (Full-time Employment Contract). Apply only if you agree to these conditions.