Cybersecurity Penetration Tester
Thales.com
Hybrid
Remote UK, United Kingdom
Full Time
Cybersecurity Penetration Tester
Location: Remote (with UK-wide regular on‑site client visits; approximately 50% monthly travel for on‑site pen testing)
Join a team where red teaming meets real impact - safeguarding defence platforms that shape national security!
What the role has to offer
Safeguard UK Defence systems through advanced penetration testing and red teaming on critical military platforms
Tackle complex threat simulations and exploit development across IT, OT, cloud, and embedded environments
Use cutting‑edge tools with funded training and certifications (CHECK, CREST, OSCP, GIAC)
A developmental role where you’ll put your own stamp on future capability
Our Opportunity
We are seeking a security‑cleared Penetration Tester to join our dynamic Cyber Security team, working at the forefront of UK Defence and national security. In this role, you’ll take on advanced security testing, vulnerability assessments, and red team exercises across both classified and unclassified environments - directly strengthening the resilience of mission‑critical networks and applications.
This position offers the opportunity to apply your expertise in offensive security methodologies, secure system design, and the unique challenges of defence environments. While prior defence experience is highly valued, we also welcome applications from seasoned red team specialists and offensive security professionals from sectors such as utilities, nuclear, and automotive, who bring transferable skills and fresh perspectives to our mission.
Building a Future, we can all trust.
The Thales product portfolio wouldn’t exist without the core engineering specialities that are AI, Cyber and Human Factors. These future-focused skills play an essential role within the wider engineering organisation and provide great opportunities to work on cutting-edge technologies.
Cybersecurity and Digital Identity (CDI) - from secure software to biometrics and encryption, CDI GBU technologies and services enable businesses and governments to authenticate identities and protect data, so they stay safe and enable services in personal devices, connected objects, the cloud and in between. Cybersecurity Premium Services (CPS) supports its enterprise and government customers in the cybersecurity of their digital transformation. We contribute to the identification and control of cyber risks, ensure the implementation of best reduction practices, operate threat driven cyber incident detection and response services, and intervene with our clients when attacks materialise.
- What we offer you
- We offer a competitive salary and benefits package designed to support our employees’ wellbeing and professional growth, which includes:
Annual Bonus (Vcp)
- Pension – match like-for-like up to 7% of annual base salary
- Life Assurance – 2 x base salary minimum (8 x salary if part of the pension scheme)
- Income Protection – 50% of salary less state benefits for 5 years
- Annual Leave – 201 hours, bank holidays, plus 1 company day
- Private Medical Insurance - Couples cover
- Half day every Friday, usually finishing around 1:00pm
- 24/7 Employee Assistance Programme
- 24 hours paid leave for volunteering activities
- Access to flexible benefits and discounts – dental insurance, buying & selling annual leave, cycle to work, and many more
- Income Protection – 50% of salary less state benefits for 5 years
- Annual Leave – 201 hours, bank holidays, plus 1 company day
- Private Medical Insurance - Couples cover
- Half day every Friday, usually finishing around 1:00pm
- 24/7 Employee Assistance Programme
- 24 hours paid leave for volunteering activities
Key Responsibilities and Tasks
- Lead end‑to‑end penetration testing across networks, applications, cloud infrastructures, and embedded systems - delivering actionable insights that strengthen mission‑critical environments
- Drive advanced vulnerability assessments and exploit development, executing post‑exploitation activities within authorised scopes to uncover hidden risks and resilience gaps
- Orchestrate red and purple team engagements, simulating sophisticated threat scenarios against defence systems to rigorously test and enhance security posture
- Produce high‑impact technical reports and executive briefings, translating complex findings into clear risk narratives, business impact assessments, and prioritised remediation strategies
- Partner with defensive operations and risk management teams to sharpen detection, accelerate response, and embed proactive resilience across the enterprise
- Stay ahead of adversaries by maintaining expert knowledge of tactics, techniques, and procedures (TTPs) employed by state and non‑state actors in the defence sector
- Advance security testing methodologies and tooling, contributing to innovative threat modelling approaches tailored for complex, high‑assurance environments
- Champion compliance and assurance by aligning practices with MOD, NCSC, and international standards (JSP 440, ISO 27001, NIST, CHECK, CREST), ensuring robust governance and trust
About You
At Thales, we are committed to equal opportunities and welcome all talented individuals to consider joining our team. So even if you don't match every statement below but feel you have some of the experience, knowledge or skills needed for this role, we encourage you to apply. It will take all of us working together to deliver solutions to the world’s most critical challenges.
Essential:
- Degree in Computing, Cybersecurity, or a related field - or equivalent professional experience in lieu of formal tertiary studies
- CHECK Team Leader accreditation currently held
- Demonstrated track record as a Penetration Tester, Red Team Operator, or equivalent offensive security specialist
- Proven ability to manage small technical teams, demonstrating strong people skills, mentorship, and collaborative leadership
- Deep expertise in network protocols, application security, operating systems, and cloud platforms across both IT and OT environments
- Hands-on proficiency with industry-standard tools including Burp Suite, Metasploit, Cobalt Strike, Nmap, Nessus, plus custom scripting in Python, PowerShell, and Bash
- Proven experience conducting penetration tests across diverse systems: Windows, Linux, Android, iOS, Web Applications, and Cloud infrastructures
- Familiarity with defence and government environments, including secure handling of classified information
- Exceptional written and verbal communication skills, able to translate complex technical findings into clear, actionable insights
- SC or DV clearance (mandatory for project delivery), with eligibility or current holding
Desirable:
- Recognised certifications such as CREST (CPSA, CRT, CCT INF, CCT APP, CCRTS, CCRTM), CHECK Team Member/Leader, OSCP, OSCE3, CEH, or GIAC (GPEN, GWAPT, GRTP, GXPN)
- Exposure to ICS/SCADA, RF systems, or military-grade communication networks
- Strong grasp of Threat Intelligence, MITRE ATT&CK framework, and adversary emulation techniques
- Previous involvement in projects supporting the MOD, defence primes, or critical national infrastructure (CNI)
- Domain expertise across Defence, Nuclear, Government, Aerospace, CNI, and Transport sectors
Step into a role where your expertise makes a national impact - join us today!
UKEO (UK Eyes Only)
Due to the nature of the work that we do at Thales, many of our roles are subject to security restrictions. This role requires you to be a UK National and achieve Security Clearance (SC) without any caveats. It would be advantageous if currently held, however, if not currently held, it is a requirement that the successful applicant undergo, achieve, and maintain SC Clearance prior to commencing employment. If approved by the MOD, a dual national from a non-ITAR country may be considered.
Please visit the UKSV website for further guidance:
To be eligible for full SC, you generally need to have resided in the UK for the last 5 years. In some circumstances, a minimum of 3 years’ residence in the UK over the last 5 years may be accepted, with additional overseas checks.
#Li-Vg1
In line with Thales' Baseline Security requirements, candidates will be asked to provide evidence of identity, eligibility to work in the UK and employment and/or education history for up to three years. Some vacancies may require full Security Clearance which can require further evidence to be provided. For further details of the evidence required to apply for Baseline and Security Clearance please refer to the Defence Business Services National Security Vetting (DBS NSV) Agency.
At Thales we provide CAREERS and not only jobs. With Thales employing 80,000 employees in 68 countries our mobility policy enables thousands of employees each year to develop their careers at home and abroad, in their existing areas of expertise or by branching out into new fields. Together we believe that embracing flexibility is a smarter way of working.
Thales UK is committed to providing an inclusive and barrier-free recruitment process. We will provide reasonable adjustments and support to ensure neuro-diverse applicants or those with a disability or long-term condition can be their best during the recruitment process. To request an adjustment, if you need this job advert in an alternative format or if you have any questions about the recruitment process, please contact Resourcing Ops for mid to senior roles, or the Early Careers Team for graduate and apprentice roles.
Great journeys start here, apply now!