Overview
Capital One Offensive Security reduces cyber risk by uncovering vulnerabilities and weaknesses in the enterprise cyber environment through coordinated ethical hacking and penetration testing scenarios. This position works closely with team members to plan, coordinate, execute and report on sophisticated ethical hacking exercises to identify cyber vulnerabilities and reduce the risk posture of enterprise systems.
Location
London or Nottingham – permanent position, hybrid working model (3 days in office, remainder remote).
Responsibilities
- Perform penetration testing of APIs, web applications, networks and cloud services, and related infrastructure.
- Assess Capital One's development practices and help drive corporate security standards.
- Help triage and test application responsible disclosure findings and newly disclosed vulnerabilities.
- Work with developers to improve the Software Development Lifecycle (SDLC) for applications.
- Present findings, risks and conclusions to technical and non‑technical audiences.
- Collaborate closely with the business throughout remediation, influencing stakeholders and delivery teams on prioritization of security activities and issue remediation.
- Establish effective and productive relationships with colleagues across the Global Cyber organization and technology departments.
Qualifications
- Information security experience in red teaming, penetration testing, application security or network security.
- Strong knowledge of Web, API and mobile application security testing frameworks and methodologies.
- Familiarity with penetration testing tools such as BurpSuite, OWASP Zap, SoapUI.
- Strong knowledge of application security best practices including OWASP Top 10.
- Strong understanding of networking concepts, Windows, Linux and Mac operating systems, cloud and web application vulnerabilities and exploitation.
- Experience with threat modelling concepts and frameworks (CVSS, MITRE ATT&CK, DREAD, or STRIDE).
- Technical knowledge in software engineering, system and network security, authentication and security protocols, cryptography, and network/web related protocols (TCP, UDP, HTTP, HTTPS).
- Bachelor's Degree or equivalent certification.
- Experience with security testing of cloud environments (AWS, Azure, GCP).
- Experience in offensive security tool development, customisation or expansion.
- Ability to code comfortably in one or more interpreted languages (Python, Bash, PowerShell, Perl, Ruby) and one or more compiled languages (C, C++, C#, Golang, Rust, Java, Objective‑C).
- Penetration testing experience with IoT, mobile applications or code review.
- One or more certifications (OSCP, OSCE, GPEN, GXPN, CRTO, CREST Certified Simulated Attack Manager).
Benefits
- Strong career progression opportunities with Capital One University training programmes.
- Immediate access to core benefits including pension scheme, bonus, generous holiday entitlement and private medical insurance.
- Flexible benefits such as season‑ticket loans, cycle‑to‑work scheme and enhanced parental leave.
- Open‑plan workspaces with accessible facilities; Nottingham head‑office gym, subsidised restaurant, mindfulness and music rooms; London rooftop running track and café.
