Penetration Test Engineer
CGI · Bengaluru, Karnataka, India
- On site
- Full-time
- $90,000 / year
- Bengaluru, Karnataka, India
Job highlights
- Perform penetration tests on web, API, and mobile applications.
- Analyze and validate security tool findings.
- Simulate real-world attack scenarios to exploit vulnerabilities.
- Assess BFSI/Insurance workflows for business logic flaws.
- Create detailed security vulnerability reports.
About the role
About CGI
Founded in 1976, CGI is among the largest independent IT and business consulting services firms in the world. With 94,000 consultants and professionals across the globe, CGI delivers an end-to-end portfolio of capabilities, from strategic IT and business consulting to systems integration, managed IT and business process services and intellectual property solutions. CGI works with clients through a local relationship model complemented by a global delivery network that helps clients digitally transform their organizations and accelerate results. CGI Fiscal 2024 reported revenue is CA$14.68 billion and CGI shares are listed on the TSX (GIB.A) and the NYSE (GIB). Learn more at cgi.com.
Position Overview
We are seeking a skilled and detail-oriented Mid-Level Penetration Test Engineer with 3–6 years of hands-on experience in manual and tool-assisted security testing. The ideal candidate will have strong expertise in vulnerability validation, false positive analysis, and real-world exploitation techniques across web, API, and mobile applications. Experience in the BFSI/Insurance domain is highly preferred, with the ability to assess business-critical workflows such as claims processing, policy management, and payment integrations.
Your Future Duties and Responsibilities
- Penetration Testing Execution: Perform security testing across web, API, and mobile applications, combining manual testing (priority) with automated scans using tools like Burp Suite and OWASP ZAP, while identifying vulnerabilities aligned to OWASP Top 10 and API Top 10.
- False Positive Analysis (Critical): Analyze SAST, DAST, and AI tool findings to validate exploitability, eliminate false positives with supporting evidence, correlate automated and manual results, and justify reclassification where required.
- Exploitation & Validation: Develop PoCs and simulate real-world attack scenarios including input manipulation, authentication bypass, and business logic abuse to validate vulnerabilities effectively.
- Insurance Domain Testing: Assess workflows such as claims processing, policy management, and payment integrations, with a focus on identifying business logic flaws impacting financial transactions and data integrity.
- Reporting & Documentation: Create clear, actionable reports covering issue details, validation steps, risk/impact, and remediation recommendations, and support audit discussions and fix validations.
Required Qualifications
- Security Testing: Strong knowledge of OWASP Top 10, API Security Top 10, authentication/session flaws, and vulnerabilities such as Injection, XSS, IDOR, and SSRF.
- Tools & Technologies: Hands-on experience with Burp Suite, OWASP ZAP, Nmap, Nikto, and SAST/DAST tools.
- Technical Skills: Basic scripting (Python/Bash) with solid understanding of HTTP/HTTPS, REST APIs, JSON, and authentication mechanisms like JWT and OAuth.
- False Positive Handling: Ability to interpret scanner outputs, perform manual validation, and provide evidence-based conclusions.
- Experience: 3–6 years in penetration testing with exposure to enterprise application security.
Good-to-Have Skills
- Experience in BFSI/Insurance domain
- Exposure to AI-based security testing tools
- Knowledge of cloud security (AWS/Azure)
- Certifications such as CEH, eJPT, Security+, or OSCP (preferred)
Commitment to Diversity and Inclusion
CGI is an equal opportunity employer. In addition, CGI is committed to providing accommodation for people with disabilities in accordance with provincial legislation. Please let us know if you require reasonable accommodation due to a disability during any aspect of the recruitment process and we will work with you to address your needs.
Life at CGI
Together, as owners, let’s turn meaningful insights into action. Life at CGI is rooted in ownership, teamwork, respect and belonging. Here, you’ll reach your full potential because… You are invited to be an owner from day 1 as we work together to bring our Dream to life. That’s why we call ourselves CGI Partners rather than employees. We benefit from our collective success and actively shape our company’s strategy and direction. Your work creates value. You’ll develop innovative solutions and build relationships with teammates and clients while accessing global capabilities to scale your ideas, embrace new opportunities, and benefit from expansive industry and technology expertise. You’ll shape your career by joining a company built to grow and last. You’ll be supported by leaders who care about your health and well-being and provide you with opportunities to deepen your skills and broaden your horizons. Come join our team—one of the largest IT and business consulting services firms in the world.
Key skills/competency
- Penetration Testing
- Web Application Security
- API Security
- Mobile Application Security
- Vulnerability Assessment
- Burp Suite
- OWASP ZAP
- Security Reporting
- Ethical Hacking
- BFSI Domain
Skills & topics
- Penetration Test Engineer
- Security Testing
- Web Application Security
- API Security
- Mobile Security
- Vulnerability Assessment
- Burp Suite
- OWASP ZAP
- Ethical Hacking
- BFSI
- Insurance
- Cybersecurity
- Software Development
- IT Consulting
- Computer Science
- Python
- Bash
- HTTP
- HTTPS
- REST API
- JSON
- JWT
- OAuth
- SAST
- DAST
- CEH
- eJPT
- Security+
- OSCP
How to get hired
- Tailor your resume: Highlight your 3-6 years of penetration testing experience, specific tools like Burp Suite, and OWASP knowledge. Emphasize BFSI/Insurance domain experience if applicable.
- Showcase technical skills: Detail your proficiency in web, API, and mobile application security testing, including scripting (Python/Bash) and understanding of HTTP/HTTPS, REST APIs, JSON, JWT, and OAuth.
- Demonstrate analytical abilities: Provide examples of your false positive analysis, vulnerability validation, and ability to develop Proofs of Concept (PoCs) for real-world attack scenarios.
- Prepare for technical interviews: Be ready to discuss OWASP Top 10, API Security Top 10, common vulnerabilities, and your experience with security testing tools during the interview process for this Penetration Test Engineer role.
Technical preparation
Behavioral questions
Frequently asked questions
- What is the typical career progression for a Penetration Test Engineer at CGI?
- At CGI, a Penetration Test Engineer with 3-6 years of experience can expect opportunities to advance to senior testing roles, specialize in specific areas like cloud security or mobile security, or potentially move into security architecture or management positions. Your growth will be supported by the company's focus on continuous learning and development within its global delivery network.
- Does CGI offer opportunities for professional development and certifications for Penetration Test Engineers?
- Yes, CGI encourages professional development. While certifications like CEH, eJPT, Security+, or OSCP are listed as preferred skills, CGI likely supports ongoing learning to help you achieve and maintain such credentials, enabling you to stay current with the latest security testing techniques and tools.
- What is the importance of the BFSI/Insurance domain experience for this Penetration Test Engineer role?
- Experience in the BFSI/Insurance domain is highly preferred because it indicates familiarity with critical business workflows like claims processing, policy management, and payment integrations. This specialized knowledge allows for a deeper assessment of business logic flaws that could impact financial transactions and data integrity, making you a more valuable candidate for this role.
- How does CGI's global delivery network benefit a Penetration Test Engineer?
- CGI's global delivery network provides Penetration Test Engineers with access to a wide range of expertise, diverse project opportunities, and the ability to scale solutions. It means you can collaborate with professionals worldwide, work on international projects, and leverage extensive industry and technology knowledge to enhance your skills and career.
- What are the primary security testing tools mentioned for the Penetration Test Engineer position at CGI?
- The primary security testing tools mentioned for this Penetration Test Engineer role at CGI include Burp Suite and OWASP ZAP for web and API testing. You'll also use Nmap and Nikto for network scanning and vulnerability identification, alongside SAST and DAST tools for application security analysis.