We are seeking a talented Offensive Security Analyst to join our team of ethical hackers. In this mid-level role, you will be an integral part of our red teaming and penetration testing efforts, using your technical expertise to find and exploit vulnerabilities across web applications, networks, cloud platforms, and critical systems. By thinking like an attacker, you will help us identify weaknesses before real adversaries do, and work with cross-functional partners to fix them. This is a hands-on role focused on traditional offensive security methods – you’ll use well-known and custom tools to emulate sophisticated threat actors, improve our security posture, and reduce risk.
Key Responsibilities:
Red Team Operations & Adversary Simulation: Participate in full-scope red team engagements, contributing across the kill-chain (reconnaissance, exploitation, lateral movement, data exfiltration, etc.). Occasionally lead targeted adversary simulations at moderate scope (e.g., a spear-phishing campaign or an endpoint compromise scenario, using phishing or malware implants). Emulate real threat actor TTPs aligned with frameworks like MITRE ATT&CK to test our detection and response capabilities.
Collaborative Remediation & Purple Team Support: Work closely with defensive teams – such as developers, system engineers, and security operations – to ensure discovered issues are understood and remediated effectively. Provide actionable technical guidance to fix vulnerabilities (e.g., code remediation suggestions for development teams). Support purple team exercises by sharing attacker perspective knowledge and helping defensive teams validate alerts and improve detection rules.
Reporting & Communication: Document each engagement thoroughly, producing clear and detailed penetration test reports that explain findings, their severity, and recommended mitigations. Communicate technical details to both technical and non-technical audiences; for instance, explaining a complex exploit in layman’s terms to business stakeholders or summarizing red team outcomes in executive readouts.
Continuous Learning & Tooling: Continuously research emerging vulnerabilities, new exploit techniques, and security trends in the offensive domain. Keep offensive toolkit sharp – use and refine tools like Burp Suite, OWASP ZAP, Metasploit, Kali Linux, etc., and create custom scripts (in Python, PowerShell, Bash, etc.) to automate routine tasks or develop new exploits. Share knowledge with peers, help mentor junior analysts, and contribute to the team’s playbooks and knowledge base.
Technical Offensive Security Experience: 5+ years of hands-on penetration testing and/or red teaming experience. Proven track record of identifying and exploiting vulnerabilities across web applications (deep knowledge of OWASP Top 10), networks, and cloud services. Familiarity with shell scripting and programming (Python, PowerShell, Bash) for exploit development and automation. Strong understanding of network protocols, operating systems, identity management, and security architecture.
Adversary Mindset & Frameworks: Demonstrated ability to think like an attacker to anticipate and craft creative exploitation scenarios. Familiarity with frameworks and methodologies like MITRE ATT&CK, PTES (Penetration Testing Execution Standard), and relevant compliance standards (NIST, ISO), ensuring tests are realistic and comprehensive.
Communication & Teamwork: Strong written and verbal communication skills to produce high-quality reports and articulate risk to stakeholders. Experience collaborating with defensive teams (security operations, appsec, IT engineering) to help them understand issues and prioritize fixes. A team-oriented approach: open to knowledge sharing, learning from others, and contributing positively to the team’s success.
Preferred Qualifications:
Offensive security certifications such as OSCP, OSWE, OSWA, GPEN, GWAPT, or similar, demonstrating validated skills in penetration testing.
Experience performing threat modeling and incorporating attacker perspective into security design reviews.
Familiarity with cloud platforms (AWS, Azure, GCP) and their specific security considerations.
Knowledge of secure software development practices and experience working with DevSecOps or CI/CD pipeline security.
Red team operations exposure or small-scale adversary simulations (beyond standard pentesting), showing the ability to plan multi-phase attacks and operate stealthily.
Active participation in the security community (e.g., CTFs, bug bounties, open-source contributions) demonstrating passion for offensive security.
Special Factors
Sponsorship
Vanguard is not offering visa sponsorship for this position.About Vanguard
At Vanguard, we don't just have a mission—we're on a mission.
To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.
How We Work
Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.
Based on 1,696 disclosed Security salaries on RoleSuite, the role pays a median of $142K/year, with most offers between $112K and $183K (10th–90th percentile: $91K–$216K).
See the full Security salary breakdown →