Cybersecurity Internal Penetration Tester

General Info

• Department: Information Security & BCM

• WorktimePercentage: 100%

• Location: Geneva (preferred), Zurich or Lugano

Our Company

EFG International is a global private banking group, offering private banking and asset management services. We serve clients in over 40 locations worldwide. EFG International offers a stimulating and dynamic work environment and strives to be an employer of choice.

EFG is committed to providing an equitable and inclusive working environment that is founded on the principle of mutual respect. Joining our team means experiencing a supportive environment, where your contributions are valued and recognised. We strongly believe that the diversity of our teams gives us a competitive advantage by fostering better decision-making and greater innovation.

Our Purpose and Mission

Empowering entrepreneurial minds to create value – today and for the future.

We are a private bank, offering personalised solutions on a global scale to private and institutional clients. Our sustainable success is based on our talents and on how we partner with our clients and communities to create lasting value.

Job Description

Context - The Information Security & BCM, under the lead of the Group Chief Information Security Officer (CISO) and part of the Chief Operating Officer (COO) organization, defines, leads, and coordinates information security efforts across EFG International and its entities globally. It outlines the information security strategy, identifies, and runs security initiatives and sets standards.

To support the ICT Risk Management Framework, in compliance with regulatory requirements (FINMA, DORA and relevant financial-sector regulations), we are looking for a Cybersecurity Intermal Penetration Tester.

The successful candidate will be responsible for performing ongoing, in-house offensive security assessments of the Bank’s infrastructure, applications and controls.

This role combines hands-on technical experience conducting penetration testing and simulating real-world attacks exercises on corporate environments, with close collaboration with Security, IT, development and risk teams to proactively identify, exploit and advise on the remediation of vulnerabilities in critical banking systems.

Key responsibilities include:

• Plan, scope and execute internal penetration tests on core banking platforms and business applications, with a strong focus on services supporting critical and important functions

• Design test scenarios aligned with realistic baking threat models (fraud, data exfiltration, privilege escalation, lateral movements to critical systems,…) and internal risk assessments

• Execute hands-on tests against internal networks, servers, endpoints, web applications, APIs, cloud workloads, AD and other core infrastructure systems

• Document findings in clear, risk-based reports with evidence and actionable remediation guidance for technical and non-technical audiences

• Work closely with infrastructure, development, DevOps and risk teams to support remediation plans and re-testing, ensuring critical findings are tracked to closure within the ICT risk and governance processes.

• Develop and maintain internal testing methodologies, playbooks and tools to support repeatable and efficient assessments

• Collaborate with SOC on purple-team style exercises to test and improve detection and response capabilities

• Stay current on emerging threats, vulnerabilities, TTPs, etc, and incorporate into internal testing

Skills and experience

• Background in cybersecurity, computer science, or related fields

• 3-5 years of hands-on penetration testing or red-team experience, with demonstrable work on internal network, web applications and API; banking or financial services experience is a strong plus

• Strong understanding of network protocols, operating systems (Windows, Linux), web and cloud technologies; familiarity with core banking architectures is a plus

• Proficiency with common offensive tools and techniques (. Burp Suite, Metasploit, Cobalt Strike-like frameworks, Kali-based tooling) and ability to perform manual testing beyond tools

• Solid knowledge of secure coding concepts and common application vulnerabilities (. OWASP Top 10) to assess web and API targets

• Professional certifications such as OCSP, GXPN, or similar offensive security credentials in good standing

• Strong communication skills and ability to explain complex technical findings to technical and non-technical audience

Our Values

• Accountability: Taking ownership for tasks and challenges, as well as seeking continuous improvement

• Hands-on: Being proactive to rapidly deliver high-quality results

• Passionate: Being committed and striving for excellence

• Solution-driven: Focusing on client outcomes and treating clients fairly with a risk-aware mindset

• Partnership-oriented: Promoting collaboration and teamwork. Working together with an entrepreneurial spirit.

Application

Please ensure to attach a cover letter to your CV when filling the application.