Pentest/Retest Operator

The Pentest / Retest Operator supports the Team by executing approved penetration testing activities, validating remediation efforts, and producing clear technical evidence for IT, GRC, and audit stakeholders. This operates under the supervision of the Team Manager and must follow defined Rules of Engagement, approved scopes, and internal evidence standards. The role is intended to increase execution capacity without transferring ownership of risk acceptance, final report approval, or security architecture decisions.

Key Responsibilities

Standard Pentesting Execution

Execute approved penetration testing activities for internal, external, web, API, and infrastructure scopes.

Perform reconnaissance, enumeration, vulnerability validation, and controlled exploitation only within approved scope.

Support BPO pentest activities by validating business-impacting vulnerabilities and documenting reproducible attack paths.

Identify technical weaknesses related to misconfigurations, insecure services, access control flaws, exposed systems, weak authentication, and insecure application behavior.

Remediation Validation (Re-testing)

Re-execute original proof-of-concept steps after IT confirms remediation. o Validate whether vulnerabilities are fully mitigated, partially mitigated, or still exploitable.

Produce retest evidence, including commands, screenshots, logs, timestamps, affected assets, and validation results.

Escalate failed remediation cases with clear technical detail and remediation guidance.

Segmentation and Network Control Validation

Execute approved segmentation test cases using predefined source/destination matrices.

Validate whether unauthorized routes exist between non-critical networks and sensitive or regulated environments.

Collect evidence of allowed, blocked, filtered, or unexpected network paths.

Avoid unsupervised intrusive testing against production systems

Web, API, and Application Security Testing

Validate OWASP Top 10 and API security risks, including broken access control, authentication flaws, IDOR/BOLA, injection risks, insecure session handling, and sensitive data exposure.

Use approved tooling such as Burp Suite, Postman, Nmap, browser developer tools, and controlled scripting.

Document findings in a format suitable for developers, IT operations, GRC, and auditors.

URL, Software, and Gold Image Validation Support

Support technical validation of URLs, applications, executables, and client-requested software. o Review TLS configuration, reputation, exposed services, headers, authentication requirements, and business justification.

Support Gold Image validation by checking security controls, agent presence, hardening alignment, GPO compliance, and allow-list requirements.

Submit all validation results to the Purple Team Manager for final approval.

Evidence and Reporting

Prepare professional finding documentation with description, impact, affected assets, evidence, reproduction steps, CVSS scoring support, and remediation recommendations.

Maintain evidence in the approved corporate repository only.

Ensure all commands and proof-of-concept steps are reproducible and clearly documented.

Support final report preparation but not approve or issue final reports independently.

Documentation and Playbook Support

Contribute to offensive testing playbooks, retest procedures, segmentation validation checklists, and evidence standards.

Document lessons learned and repeatable procedures for handover to the internal team.

Requirements

Bachelor's degree in Computer Science, Information Security, or related field.

Practical experience in network, web, API, and infrastructure penetration testing.

Strong knowledge of Nmap, Burp Suite, Postman, Wireshark/tcpdump, Netcat, Linux, Windows, and basic Active Directory concepts.

Understanding of CVSS v3.1, vulnerability validation, false positive analysis, and remediation verification.

Ability to write clear technical evidence and professional remediation guidance.

Familiarity with PCI DSS, ISO 27001, SOC2, or audit-driven security evidence is preferred.

Preferred certifications: eJPT, PNPT, CompTIA PenTest+, CEH Practical, Burp Suite Practitioner, or equivalent practical experience.

Visit website

CallTek is a leading provider of comprehensive back-office support services, empowering businesses to thrive in today’s dynamic market. With over 20 years of experience and a global workforce of 8,000 professionals; we specialize in offering tailored solutions that drive efficiency, innovation, and growth.