Job Description

Lead Analyst - Penetration Tester

The Big Picture

Sysco LABS is the Global In-House Center of Sysco Corporation (NYSE: SYY), the world’s largest foodservice company. Sysco ranks 56th in the Fortune 500 list and is the global leader in the trillion-dollar foodservice industry.  

Sysco employs over 75,000 associates, has 337 smart distribution facilities worldwide and over 14,000 IoT-enabled trucks serving 730,000 customer locations. For fiscal year 2025 that ended June 29, 2025, the company generated sales of more than $81.4 billion Sysco LABS Sri Lanka delivers the technology that powers Sysco’s end-to-end operations.  

Sysco LABS’ enterprise technology is present in the end-to-end foodservice journey, enabling the sourcing of food products, merchandising, storage and warehouse operations, order placement and pricing algorithms, the delivery of food and supplies to Sysco’s global network and the in-restaurant dining experience of the end-customer.  

The Opportunity

TheLead Analyst - Penetration Testeris a key role within Sysco’s Corporate Cybersecurity organization, responsible for leading offensive security testing across web applications, APIs, cloud platforms (Azure, AWS, GCP), and internal enterprise environments.

This is a senior individual contributor role suited for an experienced penetration tester who enjoys deep manual testing, uncovering complex attack paths, and partnering closely with Application Security, Cloud Security, Vulnerability Management, and Threat Hunting teams. The role includes planned evening or weekend testing for production environments, balanced with compensatory time off tomaintaina sustainable work schedule.

Responsibilities

• Leadingpenetration testing of web and API applications, including JavaScript-heavy applications, WordPress, and Apache-backed services, using Veracode, Burp Suite, and advanced manual testing techniques

• Conductingpenetration testing and security assessments of cloud platforms (Azure, AWS, GCP) and internal infrastructure, including Active Directory, Azure AD, and identity systems

• Assessingmodern technologies such as AI/ML and LLM-backed components toidentifymisuse, data exposure, and abuse scenarios

• Producingclear, structured penetration testing reports, communicate risk and remediation priorities, and supportingsecure SDLC activities including design and code reviews

• Manually retestingvulnerabilities tovalidateremediation and collaboratingwith threat hunters and detection engineers tovalidatedetections based on real-world attack paths

• Planningand scopingpenetration testing engagements, including effort estimation and coordination of off-hours testing windows in alignment with change and maintenance schedules

• Maintainingand improvingpenetration testing standards, tools, checklists, and playbooks across application, cloud, identity, and AI testing domains

• Providingtechnical mentoring and guidance to junior and mid-level penetration testers

Requirements

• ABachelor’sDegreein Cybersecurity, Computer Science, or a related field

• 5+ years of hands-on penetration testing or offensive security experience, including leading complex engagements

• Strongexpertisein web and API penetration testing, including authentication/authorization flaws, business logic issues, IDOR,SSRF, and injection vulnerabilities

• Experience performing cloud security assessments across Azure, AWS, and GCP,identifyingmisconfigurations and privilege escalation paths

• Hands-on experience assessing Active Directory and Azure AD environments using tools such asBloodHound

• Mustpossessthe ability to develop scripts, proof-of-concept exploits, and small tools using languages such as Python, PowerShell, or Bash

• Strong written and verbal communication skills, with the ability to clearly present findings to technical and non-technical stakeholders

Preferred Qualifications

• AMaster’sDegreein Cybersecurity, Computer Science, or a related field

• 7+ years of offensive security or penetration testing experience

• Certificationssuch asOSCP, GPEN, GXPN,CEH,eCPPT,eWAPT,CPENTor equivalent

• Familiarity with secure SDLC practices and contributing to security standards and playbooks

• Experience testing AI/ML-enabled systems andidentifyingAI-specific abuse cases

Work Mode & Environment

• Work Mode: Hybrid

• Planned participation in evening or weekend testing windows, with compensatory weekdays off

• Minimal travelrequired

• Office-type remote work environment as part of a globally distributed security team

Benefits:  

• US dollar-linked compensation   

• Performance-based annual bonus   

• Performance rewards and recognition   

• Agile Benefits - special allowances for Health, Wellness & Academic purposes   

• Paid birthday leave  

• Team engagement allowance   

• Comprehensive Health & Life Insurance Cover - extendable to parents and in-laws   

• Overseas travel opportunities and exposure to client environments   

• Hybrid work arrangement   

Sysco LABS is an Equal Opportunity Employer.