TPG Technology Ltd. is an Ottawa-based IT Professional Services firm, which has been providing quality solutions in the National Capital Region since 1985 to both Government and Private Sector clients with highly specialized resources.
We are currently looking for TWO Penetration Testers.
Security: Secret (Mandatory)
Language: English essential
Location: NCR Remote
Details:
Penetration testing: focused & scoped testing (web app, network, wireless, host, cloud, IoT, firewall, Linux & AI) to find and exploit vulnerabilities and produce remediation guidance in a formal report. The pen test service requires the pen tester to meet with the client to fully scope and assess the request, provide LoE, detailed pen testing plan/rules of engagement, a detailed summary of findings with mitigation suggestions, outline critical and/or high vulnerabilities and exploits. Test and assess attack surface. Provide remediation options to client.
Red team: simulates a realistic, goal-oriented, multi-vector adversary (often long-running) to test people, processes, and technology across an organization; emphasis on stealth, persistence, and achieving strategic objectives (e.g., access to sensitive data, ability to stay undetected).
Familiar with known and current exploits and TTPs like:
golden ticket,
silver ticket,
familiar with the (Enterprise CA Security Configuration) Attacks framework
i.e:
- ESC1: which abuse misconfigured certificate templates to allow unauthorized certificate requests that grant attackers higher privileges
- ESC4: which take advantage of Key Escrow configurations to enable attackers to retrieve private keys stored in the CA database allowing them to decrypt sensitive communications and gain unauthorized access to encrypted data
kerberosting,
pass the hash,
phishing
C2 server
obfuscating
AI usages (Attack usage, mitigation and protection)
A more thorough task listing below:
-Pre-engagement / Scoping
-Detailed test plan
-Define objectives (what’s in scope, success criteria).
-Rules of Engagement (RoE): allowed techniques (social engineering, DoS), work hours, notification channels, escalation, comms list.
-Legal sign-offs — authorization letters, contracts, NDAs.
-Asset inventory & priority list.
-Risk acceptance: what risk the client accepts during testing (e.g., crashing production systems).
-For red team: define high-value targets (Crown Jewels), adversary emulation profile (which threat actor to simulate).
-Vulnerability discovery & scanning
-Automated scans (i.e - Nessus, OpenVAS, Qualys) to find known issues.
-Manual verification of automated scan results to reduce false positives.
-Web app/API scanning (Burp Suite, ZAP) and source code review if available.
-Cloud configuration checks (IAM, S3 buckets, GCP/Azure misconfigs)
-developing POC testing and exploitation tools and scripts in PowerShell, .NET or other scripting languages
-Using Living off The Land (LoTL) techniques to test and exploit systems
-Potential testing against AI apps
-Provide cross-training expertise to our FTE members in order to support future service expansion.
-Evidence collection & documentation
-Capture logs, Screenshot, exploit code, PoC artifacts, packet captures.
-Time-stamped, reproducible steps for each vulnerability exploited.
Mandatory Requirements:
M1. A minimum of a three year college diploma(computer science or other IT related field; OR
a university degree at the Bachelor level in Information Technology or other IT related field; OR
A minimum of 10 years (in the last 15 years) work experience in the IT field
M2: Must have Secret clearance.
Rated Requirements:
R1. The bidder should clearly demonstrate that the proposed resource has experience working in an Offensive Security capacity, within the last 7 years in the areas of performing and reporting on Penetration Testing, red teaming, ethical hacking (including various stages of a cyber attacked - cyber kill chain, Reconnaissance, payload, C2, social engineering, phishing, coding, exploits, data collection.)
R2. The bidder should clearly demonstrate using project descriptions that the proposed resource has experience within the last five (5) years preparing technical reports including, Offensive security service documentation, pen testing and/or red team Concept of Operations (ConOps), red team and/or Penetration Testing Work Plans and Reports with recommendations for remediation.
R3. The bidder should possess hands-on work experience with at least three (3) of the following offensive security tools for 20% of the time over the past two years:
TANIUM, powershell, burpsuite, ZAP, coreimpact, cobalt strike, metasploit, C2, obfuscation, python based tools, Wireshark, Nessus, Hashcat, Hydra ,shodan, BloodHound, MSFVenom, Recon-ng, KALI, etc.
R4. Two (2) points per completed Graduate Degree, Diploma, or Certificate in a related information technology discipline, and 3 points per certification.
AND/OR
Certification
Three (3) points per valid certification will be allocated for:
GIAC Security Essentials (GSEC);
GIAC Security Expert (GSE);
GIAC Web Application Penetration Tester (GWAPT);
GIAC Penetration Tester (GPEN);
GIAC Auditing Wireless Networks (GAWN);
GIAC Reverse Engineering Malware (GREM);
GIAC Cloud Security Automation (GCSA);
GIAC Certified Incident Handler (GCIH);
GIAC Continuous Monitoring Certification (GMON);
EC-Council Certified Ethical Hacker (CEH);
CompTIA Security+ or PenTest+;
Core Impact Certified Professional (CICP);
Certified Information Systems Security Professional (CISSP);
Certified Information System Security Officer (CISSO);
Certified in Risk and Information Systems Control (CRISC);
Certified Professional Penetration Tester (eCPPT);
Web Application Penetration Tester (eWPT);
Web Application Penetration Tester eXtreme (eWPTX);
Certified Cyber Forensics Professional (CCFP);
Systems Security Certified Practitioner (SSCP);
Information Systems Security Architecture Professional (ISSAP);
OffSec Certified Professional (OSCP);
Certified Cloud Security Professional (CCSP);
Microsoft Certified Azure Security Engineer Associate;
GIAC Certified Enterprise Defender (GCED);
CompTIA Cybersecurity Analyst (CySA+).
Offensive Security Wireless Professional (OSWP) certification administered by Offensive Security
Information Systems Security Architecture Professional certification from ISC2
Microsoft Certified: Security, Compliance and Identity Fundamentals certification
Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK)
Cloud Security Alliance Certificate of Cloud Security Knowledge V4 (CSSK)
CompTIA CASP+
CompTIA CySA+
CompTIA Security+
OPST (OSSTMM Professional Security Tester)
Certified Data Privacy Solutions Engineer (CDPSE) – ISACA
Certified Information Systems Auditor (CISA) - ISACA
Additional certifications may be sought after contract award, however, only the certifications listed above will be accepted for this solicitation.
Proof of education/certification MUST be provided.
R5. Experience in in at least four (4) of the following seven (7) specialty areas performing IT vulnerability assessments or Offensive security work within a Government environment*
1. Vulnerability Management Services Framework,
2. Concept of Operations, processes and guidelines, reports and dashboards
3. Remediation management
4. Web application vulnerability assessment
5. Penetration testing
6. Red team
7. Firewall rules review
R6. Experience as an IT Security Vulnerability management analyst or Offensive Security services specialist in the following:
Preparation Phase:
a) Developed and documented test plans, audit programs, plan and approach, rules of engagement documents;
b) Defined adopted testing/scope methodology;
c) Identified, assessed and rated risks for entity under review to prioritise topics for assessment;
d) Defined project milestones and estimated timelines based on agreed upon deliverables; and,
e) Installed and configured testing and data analytics tools.
f) Attend and participate in the kick off meetings
g) Provide estimation and LoE required to complete the work
Reconnaissance/Discovery Phase:
a) Reviewed environment/ mapping/ system or data relationships;
b) Identified relevant regulatory requirements;
c) Obtained relevant departmental policies, directives and documentation;
d) Worked with the Department’s IT organisation to obtain and document specific systems/data architecture;
e) review and assess existing solutions and configuration settings;
f) Developed and customised scripts based on accepted industry standards to scan the environment under review.
Testing/Analysis Phase:
a) Executed customised scripts to identify policy and regulatory violations;
b) Performed a scan of IT security solutions and listed possible vulnerabilities in the environment;
c) Reviewed initial findings to determine if policies/directives are adequately conformed with or enforced;
d) Analysed findings to filter out false positive items;
e) review and assess policy violations/authentication circumvention;
f) Identified unencrypted sensitive system elements;
g) Identified exploits in existing source code;
h) Conducted privilege escalation/attempt to exploit existing system security controls further.
I) Document informational, low, medium, high and critical findings and inform the appropriate contacts if any high or critical vulnerabilities were discovered.
Reporting Phase:
a) Reported on finding analysis and grouping of detailed findings from both the IT security asset vulnerability scanning and manual assessments;
b) Assess severity levels of vulnerabilities;
c) Recommended remediation action for each vulnerability identified.
d) Present findings during the final report meeting.
e) Replicate findings in live demonstration as required by the client.
The bidder should provide a maximum of six (6) projects completed within the last five (5) years, from date of bid closing date for the proposed resource. If more than six (6) projects are submitted, only the first six will be evaluated.
If you have the above listed experience and valid Secret clearance, please send your resume as soon as possible.
Job Type: Contract
Pay: $1,049.00-$1,050.00 per day
Application question(s):
- Do you have a valid Secret Security Clearance currently in place and that is not expired.
Work Location: Remote
