Penetration Testing Analyst

About the role

Sun Life is looking for a Penetration Testing Analyst who can carry out practical security assessments across applications, infrastructure, and systems. The position sits mainly within penetration testing delivery, while also offering some exposure to red team work and adversary simulation when needed.

You will join a collaborative environment where colleagues share expertise and leaders support growth, learning, and high performance. The work is intended to help strengthen security and protect clients by uncovering weaknesses before they can be exploited.

Key responsibilities

• Test enterprise web applications, APIs, mobile apps, and infrastructure for security weaknesses.
• Use manual techniques and standard tools to find, exploit, and confirm vulnerabilities.
• Carry out testing using recognised approaches and frameworks, including OWASP-aligned methods.
• Write well-structured assessment reports that explain the issue, its root cause, the business risk, and recommended fixes.
• Research emerging vulnerabilities, exploit techniques, and attacker methods to broaden test coverage.
• Re-test findings to verify that remediation has been completed successfully.
• Support red team or adversary simulation activities when required.
• Help with recon and attack surface mapping, including identifying possible attack routes.
• Document attack paths and security gaps discovered during testing.
• Assist with controlled exploitation under supervision, including initial access techniques and limited post-exploitation validation such as privilege escalation concepts and lateral movement awareness.
• Work closely with senior colleagues to build understanding of real attacker behaviour and methods.

Skills and experience required

The ideal candidate should already have solid hands-on penetration testing ability, especially in web application, API, and basic network or infrastructure testing. A strong grasp of authentication, session management, access control, and input validation issues is important, as is familiarity with injection flaws.

Experience using tools such as Burp Suite, Nmap, sqlmap, or similar utilities is expected. The role also requires the ability to go beyond automated scanners and perform deeper manual analysis. Strong reporting skills are essential, particularly the ability to explain risk clearly and objectively.

Red team exposure

Foundational knowledge of adversary simulation is desirable. This includes awareness of recon techniques, common initial compromise methods, privilege escalation and lateral movement concepts, and how attack paths can traverse an enterprise environment. Interest in building offensive security skills over time is valued.

Qualifications

A bachelor's degree in Computer Science, Information Security, or a related discipline is required. Security certifications such as OSCP, OSWA, CISSP, or CompTIA are preferred but not mandatory.

Benefits

• 22 days of annual leave, rising to 25 days depending on length of service.
• Maternity, paternity, and parental leave.
• Annual fitness reimbursement of C$400/€275 for gym membership.
• Annual bonus opportunity based on company and individual performance.
• Private health insurance covered at 100% for employees, with 50% support for family members from the start date.
• Study assistance support, including master's programme assistance.
• Access to S&S Club, wellness resources, GP scheme, flu vaccines, eye care scheme, and discounted events and classes.
• Defined contribution pension scheme.
• Access to professional development and training platforms.

Additional information

This position falls under the IT - Technology Services category. The workplace is in Waterford, County Waterford, Ireland. The closing date for applications is 03/07/2026.