Senior Offensive Security Engineer, Penetration Testing

Procter & Gamble is a global company producing recognized brands and operating in approximately 70 countries worldwide. The Information Security Protect organization focuses on simulating threat actor behaviors to improve security controls across the enterprise.

• Bachelor’s degree or equivalent in Information Security, Cybersecurity, Computer Science, or related field, or 7+ years of relevant experience.
• 5+ years of experience in penetration testing, offensive security, adversary simulation, application security testing, or security research in complex environments.
• Ability to lead complex penetration tests, manage ambiguity, make sound technical decisions, guide testers, and serve as escalation point.
• Experience identifying, exploiting, and chaining weaknesses across 3+ domains such as web apps, APIs, mobile, cloud, enterprise apps, databases, networks, servers, IoT, identity platforms, or AI-enabled systems.
• Strong ability to automate offensive security tasks and build tooling using languages like Python, PowerShell, Go, C#, JavaScript, C/C++, Assembly, or similar.
• Advanced Linux command-line experience and familiarity with Windows, enterprise environments, and administrative tooling.
• Hands-on experience with at least one major cloud provider (GCP, AWS, Azure) including attack paths, misconfigurations, identity models, and cloud-native services.
• Ability to read and reason about source code across multiple languages to identify security flaws and exploitability.
• Proven ability to test or bypass preventative and detective controls safely within approved scope and rules.
• Experience creating automation, tools, or AI-enabled workflows adopted by others to improve offensive security effectiveness.
• Familiarity with security risks in AI-enabled technologies including prompt injection, insecure agent/tool execution, data exposure, model misuse, authorization bypass, and AI abuse cases.
• Strong written and verbal communication skills for briefing technical teams, security teams, and leadership.

Nice to have:

• Offensive security certifications such as OSCP, OSWE, OSEP, OSCE, GXPN, GPEN, GWAPT.
• Public tools, research, conference talks, blog posts, CVEs, open-source contributions.
• Experience developing AI-assisted security tools, agentic workflows, vulnerability triage systems, exploit helpers, report-generation pipelines.
• Experience testing AI applications, LLM-based systems, AI agents, RAG systems, model integrations, AI-enabled workflows.
• Experience with mobile, IoT, embedded systems, firmware, reverse engineering, radio-frequency testing, hardware exploitation.
• Experience with cloud and identity attack paths involving SSO, MFA, OAuth, service principals, IAM, secrets exposure, conditional access, PAM, privilege escalation.
• Experience collaborating with DFIR, SOC, Detection Engineering, Application Security, Cloud Security, Product Security, Vulnerability Management teams.
• Experience building penetration testing methodologies, reporting standards, reusable playbooks, tooling, metrics, remediation validation, team knowledge bases.

• Lead complex, ambiguous, high-risk, or multi-domain penetration tests across applications, APIs, infrastructure, cloud, identity, networks, IoT, mobile, and enterprise environments.
• Partner with Intake Management and stakeholders to validate objectives, challenge technical assumptions, identify engagement risks, and shape the testing approach.
• Own technical execution strategy for complex engagements, including attack path development, safe exploitation, evidence standards, peer review, reporting quality, and remediation validation.
• Identify, exploit, and chain vulnerabilities across systems and domains to demonstrate realistic business impact and remediation priority.
• Design and execute control validation paths, including testing or bypassing preventative and detective controls, and document gaps to support remediation and defensive improvement.
• Serve as the technical escalation point for complex, novel, high-impact, or ambiguous findings from penetration tests, VDP, and Bug Bounty submissions.
• Review complex findings and reports from other testers to ensure technical accuracy, impact clarity, evidence quality, and remediation usefulness.
• Work with engineering, product, cloud, infrastructure, and security teams to translate findings into practical remediation and risk reduction.
• Partner with Cyber Defense Protect, Detect, and Respond teams to operationalize findings and improve defensive controls.
• Design, build, and govern internal tools, automation, and AI-assisted workflows to improve team scale, consistency, coverage, triage, exploitation support, reporting, and remediation validation.
• Lead security testing of AI-enabled applications, LLM systems, AI agents, RAG pipelines, model integrations, tool/plugin execution, and AI-specific abuse paths.
• Produce executive-ready risk narratives and high-quality technical reports tied to business impact, exploitability, and remediation priority.
• Mentor junior testers, provide peer review, and raise standards for methodology, exploit quality, documentation, safety, and communication.
• Drive team maturity through methodology standardization, reusable playbooks, technical review practices, tooling, metrics, knowledge sharing, and process improvement.

Employment is exclusively extended on the basis of an "Umowa o Pracę" (Full-time Employment Contract). Apply only if you agree to these conditions. The position is based in Warsaw, Poland, with a hybrid work model allowing two days remote work per week.