Security Testing Analyst | London (Hybrid) | £30-35k

We are working with a well-established cyber security consultancy that is looking for a Security Testing Analyst to join their growing security testing team.

This is a hands-on role with a clear development path - ideal for someone with around one to two years of experience in vulnerability assessment or junior penetration testing who wants structured progression toward deeper VAPT capability in a real client environment.

The consultancy works with clients across regulated industries and PE-backed businesses, delivering penetration testing, VAPT, GRC advisory, and AI security services. You'll be joining a team that invests in its people: mentoring, funded certifications, and a performance-based progression model, not a time-served one.

About the Role:

The primary focus of the role is vulnerability assessment, external attack surface management, scan management, finding validation, and remediation follow-up. Alongside that, you'll be carrying out practical penetration testing activity - particularly across external infrastructure and Internet-facing services - with direct mentoring from senior testers as you build out your capability.

This isn't a role where you run a scan, export the report, and move on. You'll be expected to investigate findings properly, understand exploitability, reduce false positives, and produce technical summaries that hold up to scrutiny. The testing team operates to Crest methodology throughout.

Early on the role will be office weighted so you can get comfortable with the team. Hybrid working will then be available once you are settled in.

What You'll be Doing:

• Deliver VAPT, vulnerability assessment, and attack surface management services across a range of clients
• Conduct security testing of external infrastructure and Internet-facing services, including reconnaissance, enumeration, and vulnerability validation
• Configure, schedule, and monitor vulnerability scans, maintaining accurate asset inventories and scope records
• Triage and prioritise vulnerability findings, focusing on critical and high-severity issues
• Validate findings using approved methods, assessing exploitability and business impact
• Perform basic penetration testing activities under guidance, including reconnaissance and controlled validation
• Support external attack surface reviews, identifying exposed assets and prioritising remediation
• Produce clear summaries and documentation for internal teams, clients, and formal reports
• Assist senior penetration testers with research, evidence collection, and report writing
• Adhere to internal methodologies and industry frameworks, including NIST, OWASP, and Crest best practices

What They're Looking For:

• 1-2 years' experience in vulnerability assessment, security testing, or junior penetration testing
• Good understanding of networking, operating systems, and web technologies (TCP/IP, DNS, HTTP/S, Linux, Windows)
• Hands-on experience with vulnerability scanning tools such as Nessus, OpenVAS, AppCheck, or Qualys
• Familiarity with penetration testing tools including Kali Linux, Nmap, Burp Suite, Metasploit, Nikto, and Gobuster
• Understanding of CVEs, CVSS scoring, vulnerability prioritisation, and the OWASP Top 10
• Ability to perform reconnaissance, enumeration, service analysis, and controlled validation of findings
• Strong written communication skills with the ability to produce clear technical reports
• Able to work methodically within defined scope and rules of engagement

Certs like CPSA, PenTest+, eJPT or PNPT are a nice bonus, as is lab time on HTB or TryHackMe.

Why This Role?

Funded certs, direct mentoring from experienced testers, real client exposure from day one, and progression that's based on what you deliver - not how long you've been there.

Apply now for immediate consideration!

Oscar Associates (UK) Limited is acting as an Employment Agency in relation to this vacancy.

To understand more about what we do with your data please review our privacy policy in the privacy section of the Oscar website.