Senior Penetration Tester

Big Stars is an end-to-end product engineering company based in Belgrade, Serbia. We create a space where people take initiative and go big.

We focus on:

- turning outdated systems into high-performing engines

- creating clean products that users actually love

- designing stable and secure environments

- building complex tech products

We invite a Senior Penetration Tester to join our team.

‼️ It's an office-based role – NO remote or hybrid options.‼️

We provide relocation support if your current location is different.

✅ Responsibilities:

✔️ Lead end-to-end penetration testing engagements across web applications, APIs, mobile, internal and external networks and cloud (primarily AWS).

✔️ Run red-team and assumed-breach operations - initial access, privilege escalation, lateral movement, persistence, exfiltration - including against fraud and detection stacks. ✔️ Perform security reviews of cloud-native services, Kubernetes workloads, CI/CD pipelines, and microservices.

✔️ Discover and exploit vulnerabilities across real-money flows - payments, deposits and withdrawals, wallets, KYC / AML, bonus systems, and affiliate tracking.

✔️ Partner with product, engineering, AppSec, payments, and fraud teams to translate findings into concrete fixes and durable controls.

✔️ Develop custom tooling, scripts, and methodology where no out-of-the-box approach exists.

✔️ Build and validate declarative threat models and contribute to "secure by design" practice.

✔️ Mentor mid and junior testers, review their engagement plans and reports.

✔️ Track new CVEs, TTPs, MITRE ATT&CK updates, and regulator advisories - translate them into concrete changes here.

✔️ Support pre-sales scoping, effort estimation, and pre-certification engagements for new products and jurisdictions.

✔️ Serve as a trusted offensive-security advisor to product, engineering, and compliance teams.

✅ Requirements:

✔️ Minimum 4 years of hands-on penetration testing or offensive-security experience.

✔️ Proven track record across at least three of: web / API, internal, external network, cloud (AWS / GCP), mobile (iOS / Android).

✔️ OSCP or an equivalent in-the-box certification.

✔️ Strong working knowledge of SAST/SCA/DAST tooling, AWS/GCP, MITRE ATT&CK, OWASP ASVS / WSTG, PTES.

✔️ Understanding of the data flow, MVC model.

✔️ Understanding of supply chain attacks.

✔️ Good reporting skills.

✔️ Comfortable scripting in Python plus Bash.

✔️ Knowledge at least one of major cloud provider's IAM model.

✔️ Experience pentesting cloud-native systems and Kubernetes environments, plus the CI/CD pipelines around them (GitLab, GitHub Actions, Jenkins) and IaC (Terraform, Helm, CloudFormation).

✔️ Strong written and verbal communication in English.

✔️ Experience balancing security and business demands under release pressure.

✔️ Familiarity with industry regulations, frameworks, and practices: PCI DSS, ISO 27001, NIST, GDPR.

✅ PREFERRED QUALIFICATIONS:

✔️ One of offensive-security certifications: OSWE, OSEP, OSED, CRTO, BSCP, ARTE, GRTE.

✔️ In-depth experience architecting secure services on Kubernetes and AWS.

✔️ Prior iGaming, fintech, or payments domain experience.

✔️ Public CVEs, advisories, write-ups, conference talks.

✔️ HTB Pro Lab completions, real CTF placements.

✔️ Open-source contributions to offensive or defensive tooling.

✅ We offer excellent benefits, including but not limited to:

🏝 24 vacation days annually.

🤒 6 sick days without a medical certificate.

🏥 Premium Health Insurance (coverage up to 5,000 EUR annually).

🎉 Special occasion gifts: birthday, wedding, newborn.

📚 Learning & Development budget (for conferences, courses and certifications).

🌍 Corporate events: international parties, team buildings, activities.

📈 Career growth opportunities in a fast-growing company.

✈️ Relocation package for international candidates.

🏋️ Sports package (FitPass membership).

🗣️ Language classes: Serbian & English (company-covered).