R-023HumanTrust & SafetyP0 · CriticalUnfilled

Penetration Test Lead

Owns the offensive security programme — red-team exercises, external pentest cycles, and vulnerability disclosure.

Live Ops

Due-diligence relevance

Strategic acquirers' security teams will read the last 12 months of pentest reports and remediation logs. Outstanding 'critical' findings with no closed dates is a deal-protective gap — they will require remediation before close.

Responsibilities

Run quarterly external pentest cycles
Triage and resolve findings against an internal SLA
Coordinate with PSIRT on disclosed vulnerabilities
Maintain the responsible-disclosure programme
Own the red-team / blue-team exercise calendar

Inputs

· Threat model
· Architecture
· Disclosure submissions

Outputs

· Pentest reports
· Remediation tickets
· Disclosure responses

Qualifications

OSCP / OSCE or equivalent
Mature pentest leadership
Strong written reporting

KPIs

Critical findings closed within SLAMean time to remediate

Interfaces

R-036CISO R-097PSIRT Lead