Security

03. URGENT | SENIOR PENETRATION TESTER

Ho Chi Minh City
Full-time
Negotiation
Security Pentest OWASP Scanner findings

Bouygues Construction Information Technologies (BYCN IT) is the IT branch of Bouygues Construction, a global player in the building, civil works, energies and services sectors. Bouygues Construction operates at all points of the value chain of projects: finance, design, construction and facilities management (operation and maintenance). On every continent, our employees devise and develop solutions that help improve the environment and everybody’s lives.

As part of Bouygues Construction, the mission of BYCN IT is to provide the members of Bouygues Construction with IT services of high quality fitting with their businesses and to deploy solutions to improve communication and people collaboration through worldwide network. BYCN IT has offices in France, Morocco and Vietnam.

In the role of a Senior Penetration Tester, you will technically lead penetration testing and offensive security engagements to identify, validate and communicate security weaknesses in Bouygues’s information systems (applications, infrastructure, cloud and internet‑facing assets). You focus on hands‑on offensive work and project leadership, while working closely with Security Lead, Blue Team and product/infra teams to reduce real‑world risk.

Job Description

  • Act as technical lead for penetration testing projects on web applications, APIs, infrastructure, internal networks and cloud environments: help define scope, choose methodology, execute tests and ensure technical quality of results.
  • Plan and execute offensive security engagements (campaigns, advanced attack scenarios, adversary emulation) within defined rules of engagement, in coordination with Security Lead and Blue Team.
  • Perform in‑depth manual testing and exploitation beyond automated scanning: identify complex vulnerabilities, chaining issues into realistic attack paths with clear business impact.
  • Validate and prioritize vulnerability scanner outputs; distinguish between noise and real risk based on context, exploitability and business criticality.
  • Provide clear, actionable remediation and mitigation guidance to development, infrastructure and product teams; support them in reproducing and fixing issues when needed.
  • Lead OSINT and External Attack Surface activities from a technical perspective (asset discovery, exposure analysis, attack path identification), focusing on Bouygues’s internet‑facing assets.
  • Contribute to building and improving internal tooling, scripts and workflows to automate recurring checks and increase efficiency in offensive activities.
  • Mentor and support junior/mid level pentesters within engagements (pair testing, review test plans and findings, review reports), while Security Lead remains responsible for people management, career paths and overall practice strategy.
  • Continuously research new vulnerabilities, techniques, tools and countermeasures relevant to the team’s offensive scope and bring them into daily practice in a pragmatic way.

OUR REQUIREMENTS:

Cybersecurity Skills & Experience

  • 3–5+ years of hands‑on experience in penetration testing and/or offensive security (web/API, infrastructure, internal network and/or cloud).
  • Strong understanding of core security concepts and methodologies:
    • Web/API security (OWASP, auth/session, access control, injection, logic flaws).
    • Network and infrastructure security (network segmentation, AD basics, common protocols).
    • Exploitation and post‑exploitation in controlled environments (privilege escalation, lateral movement, data access within ROE).​
  • Solid experience in:
    • Designing and executing pentest engagements end‑to‑end on scope assigned.
    • Using and combining tools such as nmap, Nessus/Qualys, Burp Suite Pro, custom scripts, etc.
    • Translating technical findings into clear risk statements and remediation recommendations.
  • Good knowledge of vulnerability assessment and risk rating:
    • Understanding scanner findings, context and exploitation hypothesis.
    • Familiar with CVSS and risk‑based prioritization.
  • Experience with OSINT and external attack surface discovery (subdomain enumeration, asset fingerprinting, exposure mapping) is highly valued.
  • Familiarity with security standards and frameworks such as OWASP, CIS Benchmarks, NIST, MITRE ATT&CK.​
  • Practical scripting/automation skills (Python, Bash, PowerShell or similar) to:
    • Build small tools, PoCs, data parsers or automation for repetitive tasks.
  • Security certifications that reflect hands‑on offensive capability (OSCP/OSWE, OSEP, eCPPT, GWAPT or similar) are a strong plus; foundational certs (CEH, Security+, etc.) can be complementary but are not the main differentiator at Senior level.

Nice to have

  • Experience in bug bounty, exploit development or zero‑day research.
  • Participation in red‑team or purple‑team exercises alongside Blue Team/SOC.

Profile & Background                                       

  • Bachelor’s degree in Computer Science, Information Security, Network Engineering or equivalent practical experience.
  • Strong security expertise across web, infrastructure, network and ideally cloud environments, with the ability to go deep in at least one of them.
  • Good understanding of SDLC/Agile/DevOps and how security testing fits into delivery pipelines.
  • Broad understanding of security tools (strengths/limitations, when to use what), not just tool‑driven testing.
  • Able to work autonomously on assigned projects, manage own workload, communicate status and blockers clearly to Security Lead and stakeholders.​
  • Knowledge of testing/audit methodologies (PTES, NIST 800‑115, OWASP Testing Guide, etc.) is a plus.

General / Soft Skills

  • Rigorous and quality‑focused; strong attention to detail and reproducibility of findings.
  • Methodical and organized; able to structure engagements, testing activities and documentation clearly.
  • Strong analytical and problem‑solving mindset; able to design and adapt attack paths based on findings and constraints.
  • Clear written and verbal communication in English; able to explain complex technical issues in an understandable way to different audiences.
  • Team‑oriented, collaborative; comfortable working closely with other pentesters, Blue Team/SOC, developers and infrastructure teams.
  • Customer/service orientation:
    • Understands business processes and constraints behind systems under test.
    • Helps stakeholders make informed decisions by focusing on realistic risk and feasible remediation options.
  • Open‑minded, eager to learn and share knowledge, receptive to feedback and peer review.

OUR BENEFITS: 

Professional, Open-minded and Creative Environment:

  • International, friendly, proactive, supportive workplace.
  • Great teamwork with Agile mindset.
  • Respect different perspectives.
  • Strong sharing culture to improve individual development.

Individual Development

  • Career and personal development plan for each individual.
  • Extensive training and in-depth knowledge sharing sessions.
  • Online internal learning hub with various categories in software skill, soft skills, language skill.
  • Be oriented and empowered for individual, team and organization goals.

Special Care for Employee

  • Work from home 2 days/ week.
  • Dell laptop and external monitor for your work.
  • 100% salary on probationary period.
  • Up to 2-month performance bonus.
  • 15 annual leave days + 6 sick leave days (plus 1 annual leave day for 3-year working).
  • Annual health check-up and premium health insurance for employee.
  • Annual teambuilding activities and company trip.
  • Sport, personal activities sponsor.

Apply your CV to us via: hr.bycnitvn@bouygues-construction.com.

Apply for this Position

Fill out the form below and we'll get back to you soon