Job Description

Reporting to the Head of Security Operations and Intelligence and based in our offices in Melbourne CBD, the Penetration Tester will perform security testing across applications, infrastructure and cloud services to identify vulnerabilities and validate exploitability under approved scope and rules of engagement.
The tester will ensure all activities are conducted within agreed boundaries and timeframes, delivering testing outcomes and reports by set deadlines. The role translates technical findings into clear risk statements and remediation guidance in the form of a report.
This is a hands-on technical role.

Key Accountabilities and main responsibilities
Strategic Focus

• Act as a senior advisor to the business, providing expert guidance on modern cyber threats, secure practices, and risk mitigation strategies.
• Partner with engineering and technology teams to prioritise remediation activities aligned to business risk and security outcomes.
• Promote MUFG RS’s culture of security awareness, collaboration, and continuous improvement across technology and business teams.
• Contribute to strengthening the organisation’s overall security posture through insight-driven testing outcomes and informed recommendations.

Operational Management

• Plan and execute authorised penetration tests in line with agreed scope and rules of engagement.
• Conduct security testing of web applications and APIs to identify common and emerging vulnerabilities.
• Ensure penetration testing activities are safe, controlled, and non-disruptive to production services.
• Deliver clear, actionable penetration testing reports, including evidence, severity ratings, business impact, and remediation guidance.
• Validate remediation actions and perform re-testing to confirm vulnerabilities have been effectively addressed.
• Work closely with engineering teams to efficiently close findings and reduce exposure.

People Leadership

• Effectively communicate with senior leaders to provide business-critical updates, risk insights, and escalation points.
• Proactively coach and support team members, fostering learning and development, clear ownership, and effective escalation pathways.
• Work collaboratively with Security Operations, Threat Intelligence, Infrastructure, IT, and wider business teams to support coordinated investigation and remediation activities.
• Lead by example in reinforcing accountability, collaboration, and professional security practices within the team.

Governance and Risk

• Ensure all penetration testing and related activities align with ISO 27001:2022, the NIST Cybersecurity Framework, and internal security policies and standards.
• Comply with applicable Australian, UK, and European legislation, regulatory requirements, and contractual security obligations.
• Maintain accurate documentation, procedures, and compliance artefacts to support audits, regulatory reviews, and risk assessments.
• Identify gaps in security controls or processes and deliver recommendations to strengthen governance and risk management maturity.

The above list of key accountabilities is not exhaustive and may change from time-to-time based on Cbus and business needs.

Experience & Personal Attributes

• Tertiary or industry qualifications (OSCP, BSCP, OSWE)
• 5+ years penetration testing experience
• • Black/Grey/White box
  • Strong understanding of OWASP Top 10
  • Open source tooling
  • Chaining vulnerabilities
  • Mitre Att&ck Mapping
  • Living of the land
• Strong communication skills with the ability to translate technical information into business language.
• Experience producing structured penetration test reports that demonstrate the attack path with supporting evidence, business impact and detailed remediation advice.
• Proven ability to Identify and validate vulnerabilities beyond automated scanning results asses vulnerability impact in a business context and priorities findings based on risk rather than technical severity
• Pragmatic and outcome focused, understanding the difference between theoretical risk and rded al world exposure.
• Comfortable operating as a stand-alone specialist, demonstrating autonomy, accountability, and sound prioritisation.
• Collaborative mindset, able to influence engineers and stakeholders without relying on positional authority.
• Strong ethical foundation and adherence to responsible disclosure practices.
• Curiosity and continuous learning orientation, staying current with modern attack techniques and defensive controls.

MUFG Pension & Market Services is a global, digitally enabled business that empowers a brighter future by connecting millions of people with their assets – safely, securely and responsibly.

Through our two businesses MUFG Retirement Solutions and MUFG Corporate Markets, we partner with a diversified portfolio of global clients to provide robust, efficient and scalable services, purpose-built solutions and modern technology platforms that deliver world class outcomes and experiences.

A member of MUFG, a global financial group, we help manage regulatory complexity, improve data management and connect people with their assets, through exceptional user experience that leverages the expertise of our people combined with scalable technology, digital connectivity and data insights.