Web Application Penetration Tester – Technical Lead
Company: Freddie Mac
Location: Washington
Posted on: December 2, 2025
|
|
|
Job Description:
At Freddie Mac, our mission of Making Home Possible is what
motivates us, and it’s at the core of everything we do. Since our
charter in 1970, we have made home possible for more than 90
million families across the country. Join an organization where
your work contributes to a greater purpose. Position Overview: The
Freddie Mac Red Team is responsible to test the overall strength of
our organization’s defenses (the technology, the processes, and the
people) by simulating the objectives and actions of an attacker. We
are seeking an Information Security Tech Lead to assist the team by
providing subject matter expertise in Penetration testing of
Infrastructure and Networks, Web Applications, Cloud and Social
engineering, and Purple Team. In this role, the candidate will
provide enhanced vulnerability analysis and contextual feedback to
stakeholders to support the resolution of discovered
vulnerabilities and facilitate risk awareness. Responsibilities
include: Penetration Testing and Red Team assessments Lead and
perform web application penetration assessments, collaborating with
stakeholders to scope engagements, translate complex security
concepts, and provide tailored remediations Proactively search for
vulnerabilities in web applications, web APIs, cloud environments,
etc. throughout Freddie Mac Work together with other Red Team
members to integrate web application security into broader threat
emulation scenarios Develop and maintain scripts, tools, and
methodologies to enhance processes and capabilities Provide
mentorship and technical guidance to less experienced team members
Contribute to the development and improvement of security policies,
standards, and guidelines Develop Team Capabilities and Leadership
Generate innovative ideas and challenge the status quo Develop
scripts, tools, or methodologies to enhance the Red teaming
processes and capabilities Participate in and actively support
mentoring with other members of the team Assist with scoping
prospective engagements, leading engagements from kickoff through
remediation, and mentoring less experienced staff Our Impact: The
Freddie Mac internal Red Team is responsible to continuously test
the overall strength of our organization’s defenses (across all
people, process, & technology) by simulating the objectives and
actions of an attacker. Your Impact: In this role, the candidate
will contribute to a collaborative team as subject matter expertise
in Web Application penetration testing on Freddie Mac’s internal
Red Team. Additionally, the candidate will provide enhanced
vulnerability analysis and contextual feedback to stakeholders to
support the resolution of discovered vulnerabilities and facilitate
risk awareness. Qualifications 8-10 years of relevant experience in
web application penetration testing One or more technical
certifications: OSWA, OSWE, Burp Suite Certified Practitioner,
eWPT, eWPTX Ability to critically examine web applications to
identify, exploit, and remediate vulnerabilities (SQL injection,
XSS, SSRF, CSRF) Solid understanding of related web technologies
(HTTP, DNS, HTML, JavaScript, REST, GraphQL, Java, .NET, SQL/noSQL,
OAuth) and infrastructure (cloud native, containers, proxies,
webservers, PaaS) In-depth knowledge of secure development
practices (DevSecOps, secure code review) and security frameworks
(OWASP, CWE, MITRE) Proficient with common web application
penetration testing tools (Burp Suite, Project Discovery, sqlmap)
Familiarity with WAF bypasses Must be willing to work east coast
hours Key to success in this role Web-related public research
(advisories, disclosures) Previous Bug Bounty or vulnerability
disclosure experience Proficiency in at least one scripting or
programming language (Python, JavaScript, C#, Java) Current Freddie
Mac employees please apply through the internal career site. We
consider all applicants for all positions without regard to gender,
race, color, religion, national origin, age, marital status,
veteran status, sexual orientation, gender identity/expression,
physical and mental disability, pregnancy, ethnicity, genetic
information or any other protected categories under applicable
federal, state or local laws. We will ensure that individuals are
provided reasonable accommodation to participate in the job
application or interview process, to perform essential job
functions, and to receive other benefits and privileges of
employment. Please contact us to request accommodation. A safe and
secure environment is critical to Freddie Mac’s business. This
includes employee commitment to our acceptable use policy, applying
a vigilance-first approach to work, supporting regulatory mandates,
and using best practices to protect Freddie Mac from potential
threats and risk. Employees exercise this responsibility by
executing against policies and procedures and adhering to privacy &
security obligations as required via training programs. CA
Applicants: Qualified applications with arrest or conviction
records will be considered for employment in accordance with the
Los Angeles County Fair Chance Ordinance for Employers and the
California Fair Chance Act. Notice to External Search Firms:
Freddie Mac partners with BountyJobs for contingency search
business through outside firms. Resumes received outside the
BountyJobs system will be considered unsolicited and Freddie Mac
will not be obligated to pay a placement fee. If interested in
learning more, please visit www.BountyJobs.com and register with
our referral code: MAC. Time-type:Full time FLSA Status:Exempt
Freddie Mac offers a comprehensive total rewards package to include
competitive compensation and market-leading benefit programs.
Information on these benefit programs is available on our Careers
site. This position has an annualized market-based salary range of
$150,000 - $224,000 and is eligible to participate in the annual
incentive program. The final salary offered will generally fall
within this range and is dependent on various factors including but
not limited to the responsibilities of the position, experience,
skill set, internal pay equity and other relevant qualifications of
the applicant
Keywords: Freddie Mac, Washington DC , Web Application Penetration Tester – Technical Lead, IT / Software / Systems , Washington, DC
