Pentester Web (m/f/d)

Line of Service

Advisory

Industry/Sector

Technology

Specialism

Cybersecurity & Privacy

Management Level

Senior Associate

Job Description & Summary

Pwc Luxembourg is hiring a Pentester Web Consultant (m/f/d). What if it was you? 

Your mission: Have you ever wanted to pop an XSS in the back-office of a web Banking platform, legally and for a good reason? Do you want to hunt for auth flaws, access control issues, and business logic bugs in real client environments, without the usual frustration of a “dup” or a bad triage decision? Do you want to join a team that researches, builds, shares, and actually enjoys the work together, instead of doing everything solo behind a laptop?

As a Junior / Senior Web Application Penetration Tester, you will help our clients identify vulnerabilities before malicious threat actors can exploit them. You will work with a wide range of clients, including banks, European institutions, public sector organisations, and companies in the financial and operational sectors.

Your role will focus primarily on web application penetration testing engagements, from targeted assessments to complex, multi-layered assignments involving modern applications, APIs, authentication flows, and business-critical internet-facing services. This is hands-on work, not a role limited to polished presentations and theoretical recommendations. We do not just produce fancy PowerPoint slides. We test real applications, chain realistic attack paths, validate what is actually exploitable, and help clients fix what truly matters. Whether you are building your experience or already bringing strong web offensive skills, you will have room to grow, specialise, and make a visible impact.

You will join a team of experienced, dedicated, and passionate professionals who take offensive security seriously. Research, experimentation, knowledge sharing, and continuous progression are part of the day-to-day work here. The next talk, article, tool, or CVE could come from you.

Want to move faster in the process? Solve this mini challenge:

=QSb6hXflJGbqg3ftpCbkpSQNlUSVtFXbVlRTtESVJESGVVTf5lQI9VTVxlK/1GfgpiYzRieglmSrRmZ+9GajhnfkInZk9nK7tGZqI2ckoHYppUbo9ne8hmfkg3a8hWbrRmKmI2ckoHYpp0ZttGewh3c6RCewxXYkBnKmI2ckoHYpp0akhXftxXb4lGJrhGc8xmKzxHZwhnKrRmeqIGaGpyKstGa81GZzJWbk9mfrhmW

Be a part of our team where you will:  

• Work on penetration testing projects with a strong focus on web applications, APIs, and other internet-facing assets.
• Identify, validate, and document vulnerabilities affecting modern applications, including access control flaws, authentication weaknesses, injection issues, business logic vulnerabilities, and other common web security risks.
• For more senior profiles, define testing strategies, scope complex assessments, and guide the execution of engagements to ensure high-quality technical delivery.
• Produce clear, concise, and technically accurate penetration test reports for both technical and executive audiences.
• Present findings and recommendations to clients, and support debriefing sessions with technical teams, project stakeholders, and management.
• Contribute to the preparation of proposals for penetration tests and technical projects, including effort estimation and scoping.
• Help improve our labs, tooling, knowledge base, and internal methodologies for web and API security testing.
• Contribute to a culture of continuous learning through mentoring, technical exchanges, and shared research.
• Get involved in pre-sales discussions, scoping, budget sizing, project management, and other growth areas depending on your personal career aspirations, or, alternatively, deepen your technical expertise in application security testing.
• Work with a global network, collaborating with colleagues across offices worldwide and contributing to our broader cybersecurity expertise.
• Evolve in a high-performing team that values trust, flexibility, and balance.
• Be part of a team where R&D is not marketing language but a real part of the job. We invest time in hands-on research, practical experimentation, reproducing emerging attack techniques, and refining application security tradecraft.
• Join colleagues who attend and contribute to leading cybersecurity events including DEF CON, Hack.lu, leHACK, BruCON, Black Alps, and BSides Luxembourg, and who publish and share their expertise with the wider community. In 2025, four team members presented internal research at Hack.lu. The next one could be you

Let’s talk about you. If you … 

• Have a strong academic background in Computer Science, Network Engineering, Cybersecurity, Offensive Security, or a related field.
• Are technically curious and driven to understand how web applications fail and how attackers abuse them.
• Enjoy learning by doing and want to sharpen your offensive skills through real-world application security assessments.
• Bring experience according to your level, from strong potential and first hands-on exposure for junior candidates to proven web application penetration testing experience for senior profiles.
• Have hands-on familiarity with web testing tools and techniques, such as Burp Suite or equivalent, intercepting and manipulating web traffic, manual testing, scripting, and vulnerability validation.
• Are familiar with common web application security standards, testing methodologies, and guidance, such as the OWASP Top 10, OWASP Testing Guide, and API security best practices, and can apply them in practice.
• Have a solid understanding of web technologies, authentication mechanisms, modern application architectures, and common web application security concepts.
• Can communicate clearly and professionally in English, both verbally and in writing. Additional languages are a plus.
• Value ethics, discretion, and professionalism.
• Thrive both autonomously and as part of a strong team.
• For more senior profiles, are comfortable leading client engagements, coordinating assessment activities, mentoring junior colleagues, and acting as a technical point of contact.
 

In addition, It’s a plus if you…

• Have prior experience in offensive security, cybersecurity consulting, or hands-on web application security testing.
• Hold recognised certifications such as OSWE, OSCP, OSEP, or equivalent.
• Have shared knowledge with the community through talks, blogs, tools, open source, research, or CVEs.
• Have an interest in offensive R&D and staying close to the evolution of web exploitation techniques and attacker tradecraft.
• Know the Luxembourg market and/or its regulatory environment.

…You are the candidate we are looking for! 

A final word about us:  

At PwC, we believe diversity is the representation of all the characteristics that make us both alike and unique. Our backgrounds, cultures, nationalities, lifestyles, identities, opinions and beliefs, approaches to solving problems, ways of working, and views of personal and professional success, all add value to the services we deliver to our clients. Our objective is to nurture an inclusive environment where a diversity mindset is ingrained, and inclusion is the norm. We constantly focus on respecting and valuing individual differences. 

Education (if blank, degree and/or field of study not specified)

Degrees/Field of Study required:

Degrees/Field of Study preferred:

Certifications (if blank, certifications not specified)

Required Skills

Optional Skills

Accepting Feedback, Accepting Feedback, Active Listening, Agile Methodology, Analytical Thinking, Azure Data Factory, Communication, Creativity, Cybersecurity, Cybersecurity Framework, Cybersecurity Policy, Cybersecurity Requirements, Cybersecurity Strategy, Embracing Change, Emotional Regulation, Empathy, Encryption Technologies, Inclusion, Intellectual Curiosity, Learning Agility, Managed Services, Optimism, Privacy Compliance, Regulatory Response, Security Architecture {+ 8 more}

Desired Languages (If blank, desired languages not specified)

Travel Requirements

Not Specified

Available for Work Visa Sponsorship?

Yes

Government Clearance Required?

No

Job Posting End Date