Penetration testers vetted on real engagements, not certification trivia.
Web app, network, cloud, red team, and mobile pentesters placed on U.S. teams. Contract, direct hire, and project-based across 30+ metros.
Penetration tester staffing places vetted offensive security specialists, web app, network, cloud, mobile, and red team, on your team for contract or permanent engagements. KORE1 closes most pen test searches in 17 to 30 days at a 92% twelve-month retention rate.
Anyone can spell OSCP. Far fewer can actually vet an offensive security hire.
The job ad asks for OSCP, three certs, and a 1337 H4X0R t-shirt. The real role is Burp Suite, BloodHound, custom payloads, and a Slack channel that lights up when something interesting falls out of a scan. Different work. Same title in a hundred resumes.
Generalist staffing firms screen for keywords. We screen for findings. That’s why we still place pentesters when the four-month searches at the big firms stall out, two candidates ghosted, one offer declined, and a hiring manager who’s quietly drafting a “we’ll revisit Q3” memo. Familiar pattern by now.
The market is tighter than it looks on paper. ISC2’s 2025 Workforce Study puts the global cybersecurity gap at 4.8 million unfilled roles, and the U.S. Bureau of Labor Statistics projects 33% growth for information security analysts through 2033. Offensive security is the thinnest slice of that pool. We work this market through our cybersecurity staffing practice and our broader IT staffing services bench.
“Pen tester” is six different jobs. Treating them as one is how the search stalls.
Web application pentesters live in Burp Suite, ZAP, and a deep familiarity with the OWASP Web Security Testing Guide. Their day is auth bypass, SSRF, IDOR, and the slow craft of chaining low-severity bugs into something worth a paragraph in the report.
Network and infrastructure pentesters carry Nmap, Responder, Impacket, and BloodHound. Active Directory is the home turf. Cloud pentesters work AWS, Azure, and GCP attack paths, IAM enumeration, IMDSv2 abuse, cross-account role hopping. The tooling overlaps. The mental model does not.
Red team operators run multi-week engagements against MITRE ATT&CK objectives. Mobile pentesters reverse Android binaries and chase keychain entries on iOS. Hardware and IoT pentesters live with logic analyzers and firmware dumps. Each track has its own screen. A solid web app pentester can flame out in cloud. A senior network operator with ten years on AD isn’t ready to talk through a Frida hook on day one. Specialty wins. Crossover between offensive and defensive work overlaps with our security engineer staffing and DevSecOps desks.
What our offensive security desk looks like by the numbers.
Live boxes. Real reports. The methodology test, not the multiple choice.
Most recruiters score resumes against a keyword list and call it done. That’s how a paper-perfect OSCP candidate ends up a week into a web app engagement before someone realizes they’ve never written a Burp extension and can’t explain why their SQLi payload broke when the WAF normalized whitespace. Resume looked fine. The work didn’t.
Web app candidates get a 60-minute vulnerable target. Find three bugs, write up two of them with reproduction steps, recommend a fix. Most senior-titled candidates write one bug well and pad the rest. Network candidates get an internal AD walkthrough. Enumerate, find the misconfigured ACL, explain Kerberoasting like the client’s CTO is in the room.
Cloud candidates walk through a real AWS attack path, public S3 to assumed role to data exfiltration. Red team candidates talk us through a past engagement methodology, including the parts that failed. We follow NIST SP 800-115 framing so the conversation tracks the same vocabulary your security team uses. We rejected a candidate last month with a perfect resume on the AD exercise alone. Resume said senior. Methodology said junior. That’s the bar.
Project pentest, contract pentester, or permanent hire? Most clients ask the wrong question first.
The right question isn’t engagement model. It’s whether the work is one-and-done or ongoing.
Project-based pentest fits when:
- A specific scope needs an external report. SOC 2, PCI DSS, customer-required attestation.
- You need a clean third-party signature on the methodology and findings.
- Cadence is annual or semi-annual, not continuous.
Contract pentester wins when:
- You’re building a pentest function and need senior hands for 6 to 12 months.
- The team needs continuous testing of pre-prod releases, not a snapshot.
- A platform migration creates a 4-month risk window that needs a dedicated owner.
Direct hire makes sense when:
- Offensive security is a permanent capability inside the security org.
- You want institutional knowledge of your stack to compound year over year.
- Red team work needs to coordinate with detection engineering on a continuous loop.
About 75% of our pen test contract-to-hire engagements convert to permanent inside the first six months. That holds because we screen for permanent fit on day one rather than treating contract as a separate motion that gets re-screened later. The engineer either fits or doesn’t. You see it in the first report. For engagements that need scoping help on either side, the contract staffing and project staffing teams sit next to ours.
Offensive security roles we staff
Every candidate is screened on a live target in their specialty before the client interview. Pick the track that matches the engagement.
Web App & API Pentesters
Burp Suite, ZAP, OWASP WSTG fluency. Auth, SSRF, IDOR, business-logic flaws across REST, GraphQL, and gRPC.
Network & Infrastructure
Nmap, Responder, Impacket, BloodHound. Active Directory abuse, lateral movement, and on-prem privilege escalation.
Cloud Pentesters
AWS, Azure, GCP attack paths. IAM enumeration, IMDSv2 abuse, cross-account role hopping, Pacu and ScoutSuite workflows.
Red Team & Adversary Sim
Multi-week MITRE ATT&CK engagements. Cobalt Strike, Sliver, custom tradecraft. Detection-loop coordination with the blue team.
Findings only matter if the defender side closes them.
The pentesters we place are wired to debrief. Engagement closes, report drops, then the engineer sits with the detection team and walks through which steps got logged, which got blocked, and which sailed through unnoticed. That’s the loop that turns a one-time report into a permanent control improvement.
Common Questions
What’s the difference between a penetration tester and a security engineer?
A penetration tester finds the holes. A security engineer prevents and detects them. Same domain, opposite role, mostly different skill sets day to day.
Pentesters live in offensive tooling, Burp, BloodHound, Cobalt Strike, custom scripts, and they think in attack chains. Security engineers live in IAM policy, detection-as-code, IaC review, and they think in controls. Some seniors cross over. Most don’t. When the job calls for both, we usually staff it as two seats rather than one unicorn. Hiring for both inside one role is how searches stall at month four. Specialty wins.
OSCP, OSEP, CRTO, GPEN. Which certifications actually mean something?
OSCP is the practical baseline most U.S. clients accept for a mid-level pentester. OSEP and CRTO carry weight on red team desks. GPEN, GXPN, and GWAPT are recognized but track second.
The certs are filters, not verdicts. An OSCP-only candidate with two years of bug bounty receipts and a public GitHub of CTF write-ups will routinely outperform a five-cert candidate who hasn’t run a real engagement since their last exam. Hands first. We still screen for both because regulated clients (PCI, FedRAMP, defense) genuinely care about the paper. Sort by the work.
Should we hire a pentester or buy a pentest?
Buy the pentest when you need a clean external report once or twice a year. Staff a pentester when the work is continuous, in-house methodology matters, or compliance requires named program ownership.
Project-based pentests from boutique firms like Bishop Fox and NCC Group make sense for annual SOC 2 attestations and customer-required reports. Staffing makes sense once you have ten releases a quarter, a bug bounty triage backlog, and a CISO who wants offensive expertise inside the org rather than rented. Some clients run both. We’re frequently in the middle of that conversation.
How long does it take KORE1 to fill a pen test role?
17 days on average for IT roles overall. Pen testing tracks closer to 21 to 30 days because the candidate pool is thinner and specialty matching is stricter.
Mid-level web app and network roles have closed in 12 to 14 business days when scope was locked and comp was competitive. Red team and senior cloud pentesters usually need three to five weeks. Most of the calendar drag comes from internal scope drift, undefined methodology expectations, and five-round interview loops. Speed isn’t the bottleneck. Process is.
Web app, network, cloud, red team. What do these specialties mean?
Web app pentesters attack APIs and applications. Network pentesters attack infrastructure and Active Directory. Cloud pentesters attack AWS, Azure, and GCP. Red teamers chain everything across multi-week engagements.
Mobile and hardware sit in their own pools. iOS and Android reversers carry Frida, Objection, and IDA fluency. Hardware and IoT specialists carry logic analyzers, firmware extraction skills, and a tolerance for soldering at 11pm. We treat each as a separate desk because the candidate market does. Generalists exist. They’re rare and they cost.
Can a staffing firm really vet offensive security skills?
Most can’t. Our pen test recruiters came out of cybersecurity directly or have spent eight-plus years exclusively on these roles, and we run live target screens before the client interview.
Burp Suite walkthroughs, AD enumeration, AWS attack-path exercises, Sigma or KQL detection write-ups from the defender’s seat. We pair candidates with internal SMEs for technical evaluation when the engagement is highly specialized. Our pen test placements stick at the same 92% twelve-month retention rate as the rest of the firm. For executive-tier searches, our CISO staffing practice runs a separate retained-search motion built for that seat.
Tell us the scope. We’ll tell you who can actually run it.
Thirty-minute intake. Real candidates with vetted methodology on your desk inside three weeks. No forwarded resume walls.
Talk to a Pen Test Recruiter →