Skip to content

Penetration Tester

At Northwestern Mutual, we are strong, innovative and growing. We invest in our people. We care and make a positive difference.

Principal Accountabilities

The principal accountability of a Security Testing Engineer is to secure the data and information systems of Northwestern Mutual and its policy owners. While Security Testing Engineers think like an attacker, they will always act with integrity and never abuse their privileges.

All work is in service of two primary internal customers: (1) the Business Owners accountable for the people, processes, and technologies in the organization, and (2) the Blue team accountable for logging, monitoring, and incident response. 

The Security Testing Engineer serves the Business Owners by identifying, assessing, and responsibly reporting all vulnerabilities discovered throughout the organization. The primary goal being a focus on risk mitigation – allowing for business continuity, but without negligent risk. 

The Security Testing Engineer serves the Blue Team by simulating threats against which they can engineer detection rules and validate monitoring, alerting, and response capabilities. This partnership happens in an open, knowledge-sharing environment to facilitate timely detection of existing gaps and new attack techniques. 

Essential Job Duties

Penetration Testing: The  Security Testing Engineer will be accountable for working with cross-functional teams to serve as the subject matter expert in the security testing space and independently performing web, mobile, and network penetration tests in an enterprise environment with assistance from senior members of the testing team as needed. 

Red Team: Accountable for assisting in the execution of red team exercises under the supervision of senior team members where needed. 

Infrastructure & Automation: Accountable for assisting the team in managing, building, and maintaining security tools and infrastructure that support the security testing team with a focus on automation to aid in efficiencies with both security testing and threat simulation, and to enable senior security team members to focus on advanced tasks. 

Security Research: Accountable for regularly monitoring the security community for, and researching, the latest assessment and exploit methodologies and sharing the information back to the team in the form of informal reports, newly written tools and/or attack techniques. 

Test Coordination: Accountable for communicating with enterprise development teams to coordinate and schedule tests including gathering information needed to perform a successful test. 

Reporting: Accountable for preparing and delivering quality security information that comprehensively and clearly explains risk, demonstrates findings, and offers tactical and strategic recommendations to both technical and non-technical internal clients. 

Communication: Effective and professional communication of a variety of topics, including technical and non-technical information, to a wide variety of internal and external customers. 

Bug Bounty: Accountable for day-to-day management of bug bounty program including onboarding new applications and initial triage of bug submissions. 

Ad Hoc Incidents: Work in tandem with architects, the security operations center, incident responders, and technology infrastructure and development team members as necessary.

Training: Attend training to stay current with technology and security trends. 

Metrics: Accountable for working with select team members to track, monitor, and report testing results in a meaningful way so that risk-based security metrics are delivered to the enterprise. 

Skills Requirements


  • Proficiency with both Windows and Linux operating systems. Including strong command line skills. 

  • Thorough understanding of web application design principles in the areas of coding, infrastructure, middleware, etc. 

  • Hands-on experience with each of the following security assessment suites: Burp Suite, Metasploit, Wireshark, and tcpdump. 

  • Thorough understanding of applicable frameworks including NIST, the “OWASP Top Ten” and MITRE ATT&CK. 

  • Thorough understanding of the OSI Model, web and network protocols such as TCP, UDP and HTTP/S. 

  • Competency with one or more scripting/programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc. 

  • One or more certifications in penetration testing or security (e.g., Security+, Network+, CEH, etc.). 

  • Experience with APIs and associated protocols, such as JSON, REST, or SOAP. 

  • Ability to analyze attack techniques and recreate or repurpose tooling to replicate the attacks. 

  • Fundamental understanding of cryptography controls and underlying concepts to secure data. 

  • Thorough knowledge of defense-in-depth design and operational concerns. 

  • Ability to independently identify and resolve issues through effective problem-solving skills. 

  • Track record of acting with integrity, taking pride in work, seeking to excel, being curious, and adaptable. 

  • Ability to maintain and strengthen relationships; ability to effectively influence and negotiate with internal and external partners. 

  • Proven interpersonal savvy with demonstrated tact and diplomacy. 

  • Strong written and verbal communication skills with the ability to interpret and fully explain the impact of vulnerabilities as well as any recommended remediation to multiple knowledge levels. 


  • Experience with applications hosted in Amazon Web Services (AWS) and/or Microsoft Azure, preferably within an Agile/DevOps operating model. 

  • Experience with one of the adversarial simulation platforms such as Cobalt Strike, Empire, etc. 

  • One or more advanced certifications in penetration testing and/or ethical hacking (e.g. GWAPT, GPEN, GWEB, OSCP, CISSP, etc.). 

  • 3+ years experience performing security testing activities such as web, mobile, or infrastructure/network testing. 

  • 3+ years experience with one or more of the following security assessment suites: Cobalt Strike, Empire, Metasploit, etc. 

  • 3-5 years experience with one or more scripting/programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc. 

  • Formal software development experience preferred but not necessarily required. 

Experience Requirements:

  • Bachelor’s degree with an emphasis in Computer Science, Computer Engineering, Software Engineering, MIS or related field.

  • Highly technical and analytical hands-on experience in prior professional, educational, or personal projects. 

  • 2+ years of experience with web/mobile application and/or network penetration testing. 

Grow your career with a best-in-class company that puts our client’s interests at the center of all we do. Get started now!

W e are an equal opportunity/affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender identity or expression, sexual orientation, national origin, disability, age or status as a protected veteran, or any other characteristic protected by law.

If you work or would be working in C alifornia, Colorado, New York City, Washington or outside of a Corporate location, please click here for information pertaining to compensation and benefits.

Please note: Any wages or wage ranges listed directly on a specific job requisition or posting will supersede corresponding wage ranges listed within Pay Transparency Guide linked above.​


We’re excited about the potential people bring to Northwestern Mutual. You can grow your career here while enjoying first-class perks, benefits, and commitment to diversity and inclusion.