Lead Penetration Tester – Web Application Security (1099 Independent Contractor, Belgium-Based)

Lead Penetration Tester – Web Application Security (1099 Independent Contractor, Belgium-Based)

Overseas Engagement Support Provided

The company will provide or reimburse overseas logistical support associated with work in Belgium, in accordance with the independent contractor agreement.

Engagement Type: Independent Contractor (1099)
Location: Mons, Belgium (On-site during scheduled assessment periods)
Citizenship Requirement: U.S. Citizen (Required)
Security Clearance: Active U.S. SECRET or TS/SCI required (NATO SECRET eligible)

Engagement Overview

We are seeking a Lead Penetration Tester (Independent Contractor) to provide senior-level web application and API penetration testing services in support of a NATO/defense customer in Mons, Belgium. This engagement requires hands-on technical leadership during defined assessment windows in restricted environments.

The contractor will operate as a subject-matter expert, delivering penetration testing services, exploit validation, and reporting in accordance with agreed scope, Rules of Engagement (ROE), and contract terms.

This is a Belgium-based engagement during active testing periods and is suitable for an experienced, cleared penetration tester with international or expeditionary experience.

Scope of Services

The contractor will provide the following services:

• Lead grey-box web application and API penetration testing activities
• Perform manual exploit validation aligned with OWASP ASVS (no scanner-only findings)
• Identify, validate, and document vulnerabilities with clear evidence and impact narratives
• Provide written penetration testing reports and remediation guidance
• Support retesting and closure validation activities
• Coordinate with government stakeholders during scheduled assessment windows
• Enforce compliance with defined Rules of Engagement (ROE)
• Provide technical leadership and guidance to supporting testers, as applicable

Required Qualifications

• U.S. citizenship (required)
• Active U.S. SECRET or TS/SCI clearance (must be NATO SECRET eligible)
• Ability to work on-site in Mons, Belgium during recurring, scheduled assessment periods
• 8+ years of cybersecurity experience, including senior-level penetration testing
• Demonstrated experience leading web application penetration tests
• Strong hands-on expertise in:
• Authentication & session management testing
• Authorization (IDOR, BOLA, privilege escalation)
• Business logic abuse
• API security (REST, GraphQL)
• Injection flaws (SQL/NoSQL, XSS, SSRF, SSTI)
• Deep familiarity with OWASP ASVS and modern web attack techniques
• Experience operating in government, defense, or restricted environments
• Ability to produce clear, decision-quality technical reports

Preferred Qualifications

• Prior NATO, DoD, or intelligence community experience
• Experience working in overseas or long-term travel engagements
• Background in threat-informed or adversary-emulation testing
• Relevant certifications such as OSCP, GWAPT, GXPN, CRTO (preferred, not required)

Compensation

• Contract compensation up to the equivalent of $150,000 USD annually, based on rate structure, engagement scope, and duration
• Compensation structure (daily rate, milestone-based, or engagement-based) will be defined in the independent contractor agreement

Performance-Based Compensation

• Additional performance-based fees or incentives may be available based on quality of delivery, timeliness, and overall contract performance, as defined in the engagement agreement

Overseas Engagement Support

The company will provide or reimburse overseas logistical support associated with this engagement, which may include:

• Housing and furnishings
• Utilities
• Transportation support
• Meals or per diem
• Travel expenses

All support is provided in accordance with the independent contractor agreement and is not an employee benefit.

Important Classification Notice

This role is an independent contractor (1099) engagement.
Employee benefits such as health insurance, retirement plans, paid time off, or employee bonuses are not provided.

Application Questions

• Are you a U.S. citizen? (yes/no)
• Do you currently hold an active U.S. SECRET or TS/SCI clearance? (yes/no)
• Are you able and willing to work on-site in Mons, Belgium during scheduled assessment periods? (yes/no)
• Have you personally led and executed hands-on web application penetration tests? (yes/no)
• Have you performed penetration testing in government or restricted environments with formal ROE? (yes/no)
• Which best describes your experience with OWASP ASVS? (used / familiar / limited)
• Briefly describe your penetration testing approach (manual validation, tool-assisted, automated, etc.)
• Have you previously worked in an overseas or long-term travel engagement? (yes/no)

Work Location

On-site in Belgium during scheduled assessment periods / On the road

Job Type: Full-time

Base Pay: From $150,000.00 per year

Application Question(s):

• Are you a U.S. citizen? (Respond with just: yes or no)
• This role requires extended on-site work in Mons, Belgium (multiple multi-week periods per year). Are you able and willing to work on-site in Belgium? (Respond with just: yes or no)
• Have you personally led and executed hands-on web application penetration tests (not management-only or scanner-only roles)? (Respond with just: yes or no)
• Have you performed penetration testing in government, defense, or restricted environments with formal Rules of Engagement (ROE)? (Respond with just: yes or no)
• Which best describes your experience with OWASP ASVS? (ie - used, familiar, limited/no experiance)
• Describes your testing approach. (ie - manually validate, rely on tools, or primarily use automated scanners, etc)
• Have you authored final penetration testing reports and briefed senior technical or leadership stakeholders on findings? (Respond with just: yes or no)
• Have you previously worked in an overseas or long-term travel role? (Respond with just: yes or no)

Experience:

• Lead or Principal Penetration Testing: 1 year (Required)

License/Certification:

• OSCP (Required)
• GWAPT (Preferred)
• GXPN (Preferred)
• CRTO / Red Team cert (Preferred)

Security clearance:

• Secret (Required)

Ability to Relocate:

• United States: Relocate before starting work (Required)

Work Location: On the road