Offensive Security Analyst
About the role
Join a global team of almost 950 people who collaborate to support the business of EY by protecting EY and client information assets. Our Information Security professionals enable EY to work securely and deliver secure products and services, as well as detect and quickly respond to security events as they happen. Together, the efforts of our dedicated team helps protect the EY brand and build client trust.
Responsibilities
- Evaluate and reduce EY’s digital exposure through hands-on penetration testing and adversarial simulation
- Identify, assess, and help mitigate vulnerabilities across EY’s global attack surface
- Support the validation of third-party risk assessments
- Contribute to strengthening Continuous Threat Exposure Management and Attack Surface Management efforts
Requirements
- A minimum of 4 years of experience in penetration testing, red teaming, purple teaming or offensive security
- Hands-on experience testing applications, APIs, cloud environments, and network infrastructure
- Strong understanding of common vulnerability classes such as OWASP Top 10 and exploitation techniques
- Familiarity with offensive security methodologies and frameworks
- Experience supporting or performing third-party risk assessments
- Strong analytical and problem-solving skills with the ability to prioritize risks effectively
- Effective communication skills to convey technical findings to both technical and non-technical audiences
Qualifications
- Familiarity with research techniques and threat intelligence to support proactive risk identification
- Certifications such as OSCP, GPEN, GWAPT, or equivalent offensive security credentials (ideally)
Benefits
To qualify for the role you must have a minimum of 4 years of experience in penetration testing, red teaming, purple teaming or offensive security. The role involves emulating adversary tactics to test detection and response capabilities, as well as conducting reconnaissance and asset discovery to uncover unmanaged or exposed assets. The candidate will support third-party and supply chain risk validation efforts by reviewing assessments or conducting targeted testing where required. Collaborating closely with security engineering, blue teams, and business stakeholders, the analyst will help prioritize remediation efforts based on risk severity and exploitability. Additionally, the role will contribute to enhancing processes, playbooks, and reporting standards within the Vulnerability Discovery and offensive security functions.
Pay
The compensation ranges below are provided in order to comply with United States pay transparency laws. Other geographies will follow their local salary guidelines, which may not be a direct conversion of published US salary ranges. At EY, we’ll develop you with future-focused skills and equip you with world-class experiences. We’ll empower you in a flexible environment, and fuel you and your extraordinary talents in a diverse and inclusive culture of globally connected teams. Learn more.
Schedule
We offer a comprehensive compensation and benefits package where you’ll be rewarded based on your performance and recognized for the value you bring to the business. The base salary range for this job in all geographic locations in the US is $76,400 to $138,600. The base salary range for New York City Metro Area, Washington State and California (excluding Sacramento) is $91,700 to $157,500. Individual salaries within those ranges are determined through a wide variety of factors including but not limited to education, experience, knowledge, skills and geography. In addition, our Total Rewards package includes medical and dental coverage, pension and 401(k) plans, and a wide range of paid time off options.