Application Penetration Testing Manager

Job Description & Summary

A career in our Network Information Security (NIS) team will provide you the opportunity to solve our clients’ most critical application and data protection challenges. As a Manager in the Application Penetration Testing team, you will lead complex testing engagements, shape our service offerings, and develop our people. You’ll combine deep technical tradecraft with strong client leadership to help organizations understand and manage real‑world application security risk. 

You will work closely with CISOs, engineering leaders, and product teams to scope, deliver, and explain application security assessments across web, mobile, API, and cloud‑native environments. You will be responsible for quality, timelines, and risk management on your projects, while also contributing to innovation in testing techniques and the way we use automation and AI to extend our capabilities. 

Responsibilities 

PwC Professional skills and responsibilities for this management level include but are not limited to: 

• Lead multiple, concurrent application penetration testing engagements from planning to reporting, ensuring quality, timeliness, and internal client satisfaction. 

• Scope and design testing approaches for complex applications (web, mobile, APIs, microservices, cloud‑native), balancing risk coverage, effort, and client constraints. 

• Assist EMEA CISO/BISO teams on number of AppSec initiatives within EMEA ; 

• Apply advanced manual testing techniques (e.g. business logic abuse, multi‑step workflows, chained exploits alongside targeted use of automated tools and AI‑assisted capabilities. 

• Review and challenge technical findings produced by the team, ensuring accuracy, clear risk articulation, and practical remediation guidance for engineering audiences. 

• Translate technical results into business‑relevant impact for senior stakeholders (e.g. data exposure, fraud risk, compliance impact), and lead readouts with client security and product leadership. 

• Coach and mentor junior and senior penetration testers, providing structured feedback, on‑the‑job training, and stretch opportunities to develop their tradecraft and consulting skills.

• Use engagement reviews as an opportunity to systematically uplift team capability, standardize good practices, and drive consistency in testing depth and reporting quality.  

• Contribute to service development by enhancing methodologies, checklists, and tooling approaches (including AI‑augmented testing workflows) and embedding them across the team. 

• Collaborate with account teams and leadership to identify follow‑on or adjacent opportunities (e.g. secure SDLC, threat modelling, code review, developer training) based on identified weaknesses. 

• Support shaping up service-related challenges on complex technical approaches, effort estimates, and risk mitigations for application security assessments. 

• Foster a positive and inclusive team environment by effectively managing workloads, supporting work-life balance, and demonstrating open, respectful communication.  

• Use feedback and reflection to continuously refine your leadership, technical, and commercial skills, and uphold the firm’s code of ethics and business conduct. 

Minimum Degree Required 
Bachelor’s Degree 

Minimum Years of Experience 
5+ years of experience in application security / penetration testing, including significant hands‑on testing and at least 1–2 years in a lead or supervisory role. 

Preferred Fields of Study 
Computer and Information Science, Computer Applications, Computer Engineering, Information CyberSecurity, Information Technology, Management Information Systems or equivalent experience. 

Required Technical Skills and Knowledge 

Demonstrates extensive knowledge and/or a proven record of success in the following areas: 

• In‑depth understanding of web applications, APIs, and services, including platforms and stacks such as IIS, Apache variants, Nginx, Java, .NET, Node.js, modern front‑end frameworks, and common API technologies (REST, SOAP, GraphQL). 

• Strong understanding of web and application security frameworks and guidance, including OWASP Top 10, OWASP API Top 10, OWASP MASVS, and SANS/CWE Top 25. 

• Proven ability to identify and exploit application vulnerabilities such as SQL injection, XSS, CSRF, SSTI, IDOR, authN/authZ flaws, and logic issues, and to demonstrate realistic business impact. 

• Hands‑on use of industry‑standard testing tools (e.g. Burp Suite Pro, ZAP, proxy tools, interception frameworks) and familiarity with SAST/DAST/IAST and API security testing tools. 

• Solid understanding of application hosting environments: Windows and Linux web servers, application servers, databases, WAFs, load balancers, reverse proxies, and common cloud platforms (AWS, Azure, GCP). 

• Experience designing and executing tests for modern architectures (microservices, containers, serverless, CI/CD‑driven deployments) and integrating findings into secure SDLC practices. 

• Experience using or evaluating AI‑assisted techniques in security testing (e.g. AI‑aided recon, test idea generation, or report support) with appropriate validation and risk controls. 

Required Professional Skills and Abilities 

Demonstrates abilities and/or a proven record of success in the following areas: 

• Leading end‑to‑end application penetration testing engagements, including scoping, planning, execution oversight, issue escalation, and stakeholder communication. 

• Managing small to medium‑sized teams of testers, delegating effectively, and ensuring consistent test coverage and quality. 

• Reviewing and refining technical reports for clarity, accuracy, risk rating, and actionable remediation steps tailored to developers and architects. 

• Communicating complex technical concepts clearly and succinctly to both technical and non‑technical stakeholders, adapting depth and style as appropriate. 

• Building and maintaining strong client relationships, participating actively in discussions, and positioning relevant add‑on services aligned to client needs. 

• Balancing project economics (budget, effort, and scope) while maintaining agreed quality standards and addressing unanticipated issues constructively. 

• Creating a positive team climate by monitoring workloads, providing timely feedback, and supporting the growth and well‑being of team members. 

• Proactively seeking and incorporating guidance, clarification, and feedback from leadership, and keeping stakeholders informed of progress, risks, and issues. 

#LI-BS1