Penetration Tester

Company Description

Neo Prism Solutions LLC is dedicated to providing sophisticated IT and business solutions with a proactive, reliable, innovative, and sustainable approach. We focus on Business Intelligence & Data Warehousing, Database Management Systems, Application Packaging, and Virtualization. Our services are designed to meet evolving client needs, streamlining data processes and optimizing software deployment to enhance agility and scalability. Our commitment to excellence fosters a corporate culture prioritizing professional growth, making us a trusted partner in driving sustained success and innovation for our valued clients.

Role Description

This is a contract remote role for a Penetration Tester. The Penetration Tester will be responsible for identifying and addressing security vulnerabilities in client systems through reverse engineering, application security assessments, red teaming, and malware analysis. The candidate will work collaboratively with client teams to proactively improve cybersecurity measures and ensure infrastructure robustness.

2. Objectives

The primary goals of the penetration test are to:

·        Assess the security of _____________ from an external attacker's perspective.

·        Identify vulnerabilities, misconfigurations, and security weaknesses.

·        Evaluate the effectiveness of current security controls.

·        Provide actionable recommendations to mitigate identified risks.

·        Support compliance efforts related to information security standards (e.g., OWASP Top 10, ISO 27001, PCI-DSS, etc.).

3. Scope of Engagement

3.1 In-Scope Assets

·        Associated subdomains (if provided or discoverable)

·        Publicly accessible APIs tied to the above domain

·        Web-based interfaces accessible without internal network access

3.2 Out-of-Scope

·        Internal corporate systems not accessible through the public domain

·        Third-party services or integrations unless explicitly authorized

·        Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) testing

·        Social engineering (e.g., phishing, vishing) unless separately authorized

4. Testing Methodology

Testing will follow industry-standard methodologies, including but not limited to:

4.1 Reconnaissance

·        DNS enumeration and subdomain discovery

·        Service fingerprinting and banner grabbing

·        OSINT (Open Source Intelligence) gathering

4.2 Vulnerability Assessment

·        Automated scanning to identify common CVEs and misconfigurations

·        Manual verification of high-risk vulnerabilities

4.3 Exploitation (Non-destructive)

•       Safe exploitation techniques to validate risk

•       No disruption or data exfiltration unless explicitly authorized

4.4 Post-Exploitation & Privilege Escalation

•       Identify lateral movement opportunities within the web application

•       Session hijacking, privilege escalation, and impersonation checks

4.5 OWASP Top 10 Coverage

Testing will include, but is not limited to:

•       Injection flaws (e.g., SQL, NoSQL, OS)

•       Broken authentication/session management

•       Sensitive data exposure

•       XML External Entities (XXE)

•       Broken access controls

•       Security misconfigurations

•       Cross-Site Scripting (XSS)

•       Insecure deserialization

•       Insufficient logging and monitoring

)

5. Deliverables

Upon completion of the engagement, the following deliverables will be provided:

5.1 Executive Summary

•       High-level overview for business stakeholders

•       Risk ratings and business impact of findings

5.2 Technical Report

•       Detailed list of identified vulnerabilities

•       Screenshots, payloads, and technical evidence

•       CVSS scores and risk rankings

•       Affected assets and reproduction steps

5.3 Remediation Recommendations

•       Detailed mitigation and remediation guidance

•       Prioritized recommendations based on risk and impact

5.4 Re-Test Report (Optional)

•       Confirmation of remediation actions (if included in scope)

6. Timeline

Activity Duration

Planning & Access Setup             1-2 business days

Testing Phase                                  5 business days

Reporting & Review                      5 business days

Optional Re-test                            As agreed upon

7. Roles and Responsibilities

Client Responsibilities

•       Provide written authorization for testing

•       Make available any credentials or API keys (for gray/white-box testing)

•       Identify business hours and blackout periods

•       Coordinate with internal stakeholders

Testing Team Responsibilities

•       Conduct tests within agreed scope and timeframes

•       Minimize impact to production systems

•       Maintain confidentiality of all data accessed during testing

•       Report findings promptly if critical/high-risk vulnerabilities are discovered