Senior Offensive Security Engineer, Penetration Testing

Job LocationWARSAW PLANT & GOJob DescriptionAre you a person who is passionate about breaking applications, devices, services and/or processes to help protect them against the worlds most advanced cyber security adversaries?The Information Security Protect organization at Procter & Gamble is responsible for providing a realistic depiction of threat actor behaviors and scenarios during simulated exercises. We drive improvements to applications and systems, as well as detection and response capabilities through regular testing of security controls across the enterprise.Responsibilities: Lead complex, ambiguous, high-risk, or multi-domain penetration tests across applications, APIs, infrastructure, cloud, identity, networks, IoT, mobile, and enterprise environments.Partner with Intake Management and stakeholders to validate objectives, challenge technical assumptions, identify engagement risks, and shape the testing approach.Own technical execution strategy for complex engagements, including attack path development, safe exploitation, evidence standards, peer review, reporting quality, and remediation validation.Identify, exploit, and chain vulnerabilities across systems and domains to demonstrate realistic business impact and remediation priority.Design and execute control validation paths, including testing or bypassing preventative and detective controls, and document gaps in a way that supports remediation and defensive improvement.Serve as the technical escalation point for complex, novel, high-impact, or ambiguous findings from penetration tests, VDP, and Bug Bounty submissions.Review complex findings and reports from other testers to ensure technical accuracy, impact clarity, evidence quality, and remediation usefulness.Work with engineering, product, cloud, infrastructure, and security teams to translate findings into practical remediation and risk reduction.Partner with Cyber Defense Protect, Detect, and Respond teams to operationalize findings and improve defensive controls.Design, build, and govern internal tools, automation, and AI-assisted workflows that improve team scale, consistency, coverage, triage, exploitation support, reporting, and remediation validation.Lead security testing of AI-enabled applications, LLM systems, AI agents, RAG pipelines, model integrations, tool/plugin execution, and AI-specific abuse paths.Produce executive-ready risk narratives and high-quality technical reports tied to business impact, exploitability, and remediation priority.Mentor junior testers, provide peer review, and raise standards for methodology, exploit quality, documentation, safety, and communication.Drive team maturity through methodology standardization, reusable playbooks, technical review practices, tooling, metrics, knowledge sharing, and process improvementJob QualificationsQualifications (Required): Bachelor’s degree or equivalent Polish higher education qualification in Information Security, Cybersecurity, Computer Science, or a related field, OR 7+ years of relevant experience in lieu of a degree.5+ years of experience in penetration testing, offensive security, adversary simulation, application security testing, or security research in complex environments.Demonstrated ability to lead complex penetration tests, manage ambiguity, make sound technical decisions, guide other testers, and serve as an escalation point for high-risk findings.Deep experience identifying, exploiting, and chaining weaknesses across 3 or more domains such as web applications, APIs, mobile applications, cloud infrastructure, enterprise applications, databases, networks, servers, IoT devices, identity platforms, directory services, or AI-enabled systems.Strong ability to automate offensive security tasks and build tooling using languages such as Python, PowerShell, Go, C#, JavaScript, C/C++, Assembly, or similar.Advanced Linux command-line experience and strong familiarity with Windows, enterprise environments, and common administrative tooling.Hands-on experience with at least one major cloud provider such as GCP, AWS, or Azure, including attack paths, misconfigurations, identity models, and cloud-native services.Ability to read, understand, and reason about source code across multiple languages to identify security flaws and determine exploitability.Proven ability to test or bypass preventative and detective controls while operating safely within approved scope and rules of engagement.Experience creating automation, tools, or AI-enabled workflows adopted by others to improve offensive security effectiveness, efficiency, coverage, or quality.Familiarity with security risks in AI-enabled technologies, including prompt injection, insecure agent or tool execution, sensitive data exposure, model misuse, authorization bypass, and AI application abuse cases.Strong written and verbal communication skills with the ability to brief technical teams, security teams, and leadership.Qualifications (Preferred Skills): One or more offensive security certifications such as OSCP, OSWE, OSEP, OSCE, GXPN, GPEN, GWAPT, or similar.Public tools, modules, research, conference talks, blog posts, CVEs, open-source contributions, or other meaningful technical contributions.Experience developing AI-assisted security tools, agentic workflows, vulnerability triage systems, exploit helpers, report-generation pipelines, or other force-multiplying capabilities.Experience testing AI applications, LLM-based systems, AI agents, RAG systems, model integrations, and AI-enabled business workflows.Experience with mobile, IoT, embedded systems, firmware, reverse engineering, radio-frequency testing, or hardware exploitation.Experience with cloud and identity attack paths involving SSO, MFA, OAuth, service principals, IAM, secrets exposure, conditional access, PAM, or privilege escalation.Experience collaborating with DFIR, SOC, Detection Engineering, Application Security, Cloud Security, Product Security, and Vulnerability Management teams.