Penetration Test Engineer Jobs in Toronto, Ontario, Canada
Create alert for “Penetration Test Engineer”
Toronto, Ontario, Canada
Lead Penetration Test Engineer
About the role
S&P Global Corporate
The Role: Lead Penetration Test Engineer
Location: Hybrid 2 days per week onsite on one of our following sites: US: Boston, MA, Chicago, IL, Dallas, TX, Houston, TX, Englewood, CO, Raleigh, NC, Princeton, NJ, New York, NY, Southfield, MI, Washington, DC. Canada: Toronto, ON, Calgary, AB
The Team: The S&P Ratings Security team focuses on protecting our clients and users from modern security threats. Our mission is to safeguard systems and data by developing innovative solutions to the industry’s most complex security challenges. We are passionate problem solvers with deep security expertise. Responsibilities and Impact: We are seeking a Lead Penetration Test Engineer with extensive experience in penetration testing and offensive security. The ideal candidate will conduct penetration tests, re-testing, vulnerability scanning, and threat assessments across diverse environments. This role requires strong offensive security skills combined with cloud and application security expertise to identify vulnerabilities and develop effective mitigation strategies. A successful candidate will excel in the following areas: Penetration Testing & Vulnerability Assessments
- Conduct comprehensive penetration testing of web applications, infrastructure, and cloud environments using both manual and automated techniques.
- Develop custom scripts, tools, and methodologies to enhance penetration testing capabilities and automate security testing within CI/CD pipelines.
- Apply cloud‑specific offensive techniques, including IAM abuse, container and serverless exploitation, and cloud misconfiguration testing. Vulnerability Management & Remediation
- Collaborate with engineering and development teams to analyze vulnerabilities, develop remediation plans, and strengthen application security across development and production lifecycles.
- Perform detailed security assessments using DAST, SAST, and SCA tools to ensure continuous validation and improvement of security controls. Attack Simulations & Research
- Lead and participate in attack simulations and tabletop exercises to validate security controls and improve organizational response capabilities.
- Research emerging threats, attack vectors, and adversarial techniques to inform offensive and defensive strategies.
- Partner with internal teams to design and execute threat assessments based on intelligence feeds and threat actor analysis. Security Communication & Reporting
- Communicate and present penetration testing and security assessment findings to both technical and non‑technical stakeholders.
- Provide actionable remediation guidance and risk mitigation strategies to strengthen the organization’s overall security posture. What We’re Looking For
Basic Required Qualifications
- Bachelor’s degree in Computer Science, Information Systems, or a related field, or equivalent experience.
- Minimum 8 years of experience in information security with a strong focus on penetration testing, application security, and vulnerability management.
- Hands-on experience with penetration testing tools (e.g., Burp Suite, Nessus, Metasploit, Nmap) and methodologies (e.g., OWASP Top 10, MITRE ATT&CK, PTES).
- Expertise in identifying and exploiting common infrastructure and web application vulnerabilities (e.g., XSS, SQL Injection, IDOR).
- Familiarity with vulnerability classification and scoring frameworks (CVE, CVSS, CWE).
- Strong scripting or programming skills (e.g., Bash, Python, Go, PowerShell, JavaScript).
- Experience performing security assessments (DAST, SAST, SCA, credential scanning) and integrating security testing into CI/CD pipelines.
- Ability to translate complex technical findings into clear, actionable reports and confidently brief cross‑functional teams and executives.
- At least one recognized offensive security certification (OSCP, OSCE3, OSEP, GXPN, GPEN, or CREST CRT/CCT).
Preferred Qualifications
- Experience with cloud security across AWS, Azure, or GCP.
- Knowledge of AI/ML security and adversarial testing methods, including evaluating LLMs and other models for manipulation, evasion, and data integrity risks.
- Demonstrated involvement in the infosec community (e.g., open-source projects, bug bounties, CVE research, conference talks, or security publications).
- Experience applying the MITRE ATT&CK Framework to offensive security operations and threat emulation.
- Familiarity with secure software development practices and the software development lifecycle.
- Experience with Java application technologies, deployment frameworks, and associated security best practices.
- Ability to work collaboratively across teams while independently owning deliverables and maintaining accountability to deadlines.
Right to work requirements for Canada based out Candidates: This role is open for candidates with indefinite right to work within Canada.
Compensation/Benefits Information: (This section is only applicable to Canadian Candidates:) S&P Global states that the anticipated range of compensation for this position is 135,000 CAD to 180,000 CAD. Final compensation for this role will be based on the individual’s performance, geographic location, as well as experience level, skill set, training, licenses, and certifications. In accordance with Ontario's new regulations effective January 1, 2026, this job posting provides information on expected compensation. S&P Global will not be utilizing artificial intelligence in our hiring process. Additionally, we are committed to transparency and will inform all interviewed candidates of hiring decisions within 45 days of their interview. This posting is for an existing vacancy, and we encourage you to reach out for further information regarding our hiring practices or any questions you may have. Thank you for considering a career with us!
Not the right fit? Search for Penetration Test Engineer jobs in Toronto, Ontario, Canada
About S&P Global
S&P Global provides governments, businesses, and individuals with market data, expertise, and technology solutions for confident decision-making. Our services span from global energy solutions to sustainable finance solutions. From helping our customers perform investment analysis to guiding them through sustainability and energy transition across supply chains, our solutions help unlock new opportunities and solve challenges.
We are widely sought after by many of the world’s leading organizations to provide credit ratings, competitive benchmarking and data driven analytics in global capital markets, commodity, and automotive markets. Our divisions include S&P Global Market Intelligence, S&P Global Ratings, S&P Global Commodity Insights, S&P Global Mobility, S&P Dow Jones Indices, and the renowned S&P 500 index. Additionally, our S&P Global Sustainable1 brings sustainability benchmarking, analytics, and evaluations together, to help customers achieve their sustainability goals.
See the latest research & insights at www.spglobal.com