Cyber Security Analyst III (Security Testing)

Position Overview

The primary duty of the Cyber Security Analyst III (Security Testing) is the planning, execution, and documentation of authorized security assessments across the organization’s information systems, infrastructure, and applications. This includes web application testing, network penetration testing, vulnerability assessments, and adversarial simulation activities. The incumbent applies industry-standard methodologies and tools to identify, validate, and document security weaknesses, translating technical findings into actionable remediation guidance for system owners and engineering teams. The role supports the organization’s security posture at the Hanford Site and collaborates closely with GRC, IT Engineering, and Security Operations teams.

Major Activities (Typical Duties/Responsibilities)

Plan, scope, and execute authorized penetration tests against network infrastructure, operating systems, web applications, and APIs in accordance with approved rules of engagement.

Conduct web application security assessments using both manual techniques and automated tooling, testing for OWASP Top 10 vulnerabilities and other application-layer risks.

Perform vulnerability assessments and configuration reviews across Windows and Linux environments, network devices, and cloud infrastructure.

Develop clear, structured assessment reports documenting methodology, findings, risk ratings (using CVSS or equivalent), and prioritized remediation recommendations for both technical and executive audiences.

Validate remediation efforts by conducting follow-up testing to confirm that identified vulnerabilities have been effectively mitigated or accepted.

Collaborate with GRC analysts to integrate security testing findings into POA&M tracking, risk assessments, and RMF authorization packages.

Support red team exercises and adversarial simulation activities to evaluate the effectiveness of detective and preventive controls.

Research and evaluate emerging attack techniques, threat actor TTPs (Tactics, Techniques, and Procedures), and offensive tooling to ensure testing methodologies remain current.

Assist with secure code review and DevSecOps integration activities, providing security guidance to software development and engineering teams.

Maintain detailed records of assessment activities, tooling configurations, and findings in accordance with federal handling requirements for sensitive assessment data.

Provide mentorship and technical guidance to junior analysts on security testing concepts, tool usage, and reporting standards.

Perform other duties as appropriate and as assigned.

Knowledge/Skills/Abilities

Demonstrated proficiency with penetration testing methodologies and frameworks, including PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and MITRE ATT&CK.

Hands-on experience with industry-standard security testing tools, including Burp Suite Pro, Nessus/Tenable, Metasploit Framework, Nmap, Wireshark, and equivalent tooling.

Strong knowledge of web application security vulnerabilities (OWASP Top 10, SANS Top 25) and application-layer attack techniques.

Proficiency with scripting languages (Python, Bash, or PowerShell) for tool automation, payload development, and custom testing scripts.

Solid understanding of networking fundamentals (TCP/IP, DNS, HTTP/S, TLS, Active Directory) and how they relate to attack surface analysis.

Familiarity with cloud security testing concepts across AWS, Azure, or equivalent platforms, including misconfiguration assessment and IAM privilege analysis.

Knowledge of CVSS scoring, vulnerability risk rating methodologies, and how to communicate risk in business terms.

Understanding of NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) and relevant NIST SP 800-53 Rev. 5 control families.

Familiarity with DevSecOps principles and static/dynamic application security testing (SAST/DAST) integration in CI/CD pipelines.

Good interpersonal skills: ability to work effectively and cooperatively with all levels of management and staff, affiliated-company employees as well as outside business associates; exhibits a professional manner in dealing with others.

Superior organizational, follow-up, and detail-oriented skills.

Strong ability to analyze documents and categorize appropriately.

Ability to maintain accurate records.

Work independently, as well as on a team and with minimal supervision.

Make decisions, solve problems, and exercise excellent judgment.

Work well under pressure and independently prioritize workload, while working on multiple projects.

Ability to research, organize and analyze technical information with particular attention to accuracy and detail.

Excellent written and verbal communication skills; including thorough knowledge of proper grammar, advanced vocabulary, spelling, editing and proofreading skills.

Proficient using Microsoft Office products, such as Word, Excel and PowerPoint, and industry-standard computer software and databases.

High degree of sensitivity regarding confidential information.

Physical Abilities

Sufficient fine motor skills for the use of computers, calculators with an ability to withstand repetitive keyboarding for extended periods of time.

Visual and communications ability adequate to perform the essential functions of the job.

Ability to kneel, bend and twist at the waist on an occasional basis.

Ability to reach below shoulder height with regular frequency (desk position) and at or above shoulder height on occasion.

Ability to push, pull, carry and lift objects weighing up to 10 pounds on a regular basis, and greater weights on an occasional basis.

Ability to travel by vehicle or aircraft, and ability to safely operate a motor vehicle.

Minimum Qualifications

Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, or a related technical discipline and 5+ years of progressive experience in cybersecurity, with at least 3 years of hands-on experience in security testing, vulnerability assessment, or offensive security; or equivalent combination of education, experience, and training.

Ability to pass a background and drug screening.

Must have identification compliant with the Real ID Act at time of hire.

Must be able to obtain Department of Energy access badge.

Preferred Qualifications

Experience conducting security assessments in federal, DOE, or other regulated environments with defined rules of engagement and formal reporting requirements.

Demonstrated experience with adversarial simulation, red team operations, or purple team collaboration.

Experience with cloud security assessment tools and techniques (e.g., ScoutSuite, Prowler, Pacu).

Familiarity with OT/ICS security assessment considerations relevant to industrial or critical infrastructure environments.

Experience with secure code review and integration of security testing into software development lifecycles.

Relevant certifications such as OSCP (Offensive Security), GPEN or GWAPT (GIAC), CEH (EC-Council), CompTIA PenTest+, or equivalent.

Pay Range: $89,596-$158,000

Benefits: OSC Technical Solutions offers excellent benefits for eligible employees. Benefits include paid holidays, paid time off, 401k with employer match, dental, vision, health insurance plans through the Federal Employee Health Benefits (FEHB) program, as well as life and disability benefits. 

OSC Technical Solutions does not discriminate, and the company provides equal employment opportunity for all employees and applicants without regard to race, religion, color, sex, gender, sexual orientation, national origin, citizenship status, age, marital status, pregnancy or parenthood, handicap or disability, genetics, veteran status or any other legally protected characteristic. OSC Technical Solutions adheres to all federal, state and local laws regarding equal employment opportunity and will not discriminate against you in violation of these laws. OSC Technical Solutions reserves the right to apply CIRI Shareholder preference to qualified Shareholders in employment and advancement opportunities.  

OSC Technical Solutions participates in E-Verify. We will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS), with information from each new employee's Form I-9 to confirm work authorization. 

Reasonable Accommodation:

OSC Technical Solutions will provide reasonable accommodations, according to applicable state and federal laws, to all qualified individuals with physical or mental disabilities. In compliance with the ADA Amendments Act (ADAAA), if you have a disability and would like to request an accommodation in order to apply for a position with OSC Global, LLC or any of its subsidiaries, please email [email protected].

Important Employment Notice: Federal Contract & RCW 49.44.240:

Due to our status as a federal contractor operating within the State of Washington, all applicants and employees must adhere to federal law, which classifies cannabis as a Schedule I controlled substance.

While Washington State’s RCW 49.44.240 (which generally prohibits employers from discriminating against an applicant based on their lawful use of cannabis off-site and during working hours) is state law, it does not supersede federal requirements.

Zero-Tolerance Policy and Disqualification

Prohibition: The use, possession, or distribution of cannabis is strictly prohibited for all employees, regardless of state law.

Testing: Applicants will be subject to pre-employment drug screening that includes testing for cannabis.

Disqualification: A positive test result for cannabis will result in immediate disqualification from consideration for employment, as mandated by our federal contract obligations.

All applicants must be able to comply with all federal regulations, including those concerning controlled substances, as a condition of employment.