Penetration Test Engineer – Cybersecurity Operations

This is an environment unlike anything in the high-tech world and the secret of Costco’s success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others. In 2018, Costco contributed over $39 million to organizations such as United Way and Children’s Miracle Network Hospitals.

Costco IT is responsible for the technical future of Costco Wholesale, the second largest retailer in the world with wholesale operations in twelve countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. As proof, Costco consistently ranks in the top five of Forbes “America’s Best Employers”.

The role of each Information Security team member is to support the overarching values and business goals of Costco Wholesale, including meeting legal, ethical and regulatory obligations; protecting member privacy; and maintaining a security technology environment for our operations.

Penetration testers provide consultative services ; working with internal business team members to conduct service engagements for security testing. Penetration perform reviews of system architecture documentation; creation of the scope of work for an engagement, conduct security testing engagements on scoped assets, systems, processes, and/or employees; mentor other team members with lesser subject matter expertise.

If you want to be a part of one of theBEST “to work for” companies in the world, simply apply and let your career be reimagined.


  • Works with Compliance, Internal Audit, and Business teams to identify, test and analyze risks.
  • Works with stakeholders to provide security engagements to test their systems and business requirements.
  • Assumes a leadership role in advocating internally and externally for compliance to security measures to protect cloud-based applications and environments.
  • Documents security findings fro m penetration testing engagements and reports the risks of those findings to the business owner and management.
  • Finds vulnerabilities in various spaces such as web applications, native applications, database systems, authentication flows, distributed systems and designs, and protocols. Pulling from a flexible knowledgebase of topics such as OWASP, memory corruption, privilege escalation, networking, and etc. to find both common and uncommon issues.
  • Researches and remains up to date with emerging threats and Threat Emulation methodologies.
  • Clearly communicates Information Security matters to executives, auditors, end users, and engineers, using appropriate language, examples, and tone.
  • Works collaboratively to solve problems with groups, find win/win solutions and celebrate successes
  • Works with Incident Response team as necessary to consult on discovered security incidents by informing appropriate custodians, determining root cause, and actions (if necessary) required to re-establish respective information system security.
  • Leads comprehensive assessments of features and large-scale applications and environments. This includes mapping out the surface area and assessing prioritization based on time, resource, and general importance tradeoffs.
  • Navigates through an ecosystem of multiple domains, technologies, protocols, and stakeholders.
  • Creates new tools to support pen tests efforts.
  • Provides subject matter expertise support in the detection, analysis, and mitigation of malware, trends in malware development and capabilities, and proficiency with malware analysis capabilities.
  • Participates in team activities and team planning in regards to improving team skills, awareness and quality of work.
  • Responsible for continued personal growth in the areas of technology, business knowledge, and Costco policies and platforms.


  • 5+ years’ required experience with assessing APT threats, Penetration Testing, Vulnerability Management, attack methodologies, forensics analysis techniques, malware analysis, attack surface comprehension, Cyber Threat Emulation operations, Cyber Advanced Threat Emulation Team operations and research, identification, and verification of new APT TTPs.
  • Proven operational experience in penetration testing or cyber threat emulation.
  • Experience and security knowledge around native applications, web applications, distributed and database systems.
  • Proficiency in programming and scripting languages (C/C++, Ruby, dotnet, js, python, sql, Powershell, others) with expertise in troubleshooting and debugging skills.
  • Exposure or experience with tools such as; Kali Linux, Metasploit, Burp suite, Cobalt Strike, Tenable Nessus, Web Inspect, IDA PRO.
  • Ramps up and understands new designs, systems, and technology.
  • Understands security issues for large scale cloud services and network infrastructures.
  • Understands software development processes and hybrid-cloud based infrastructure.
  • Thorough experience within both Windows, Linux and cloud environment testing.
  • Experience developing custom exploits and exploitation tools in support of authorized penetration tests or cyber threat emulation exercises.
  • Expertise in policies, industry trends, and techniques related to penetration testing.
  • Existing Subject Matter Expert of Advanced Persistent Threat or Emerging Threats.
  • Grasps both the technical and non-technical details such as to enumerate inappropriate or abusable security expectations.
  • Demonstrates a logical and structured approach to time management and task prioritization.
  • Strong proficiency Report writing.
  • Ability to handle highly confidential information in a strictly professional manner.
  • Willingness to work outside of regular business hours, as required.
  • Willingness to travel as required to conduct testing engagements.
  • High enthusiasm, integrity, ingenuity, results-orientation, self-motivation, and resourcefulness in a fast-paced environment.
  • Must be available most of the time to work outside of regular business hours.
  • Travel is required for pen test engagements when needed post-Covid.


  • A relevant degree.
  • One or more certifications for penetration testing: GCIA, GCED, GCFE, GCTI, GNFA, GCIH, CND, ECSA, OSCP, OSEE, OSCE, GCFA, GREM, CHFI, CEH, GPEN, GWAPT, GISF, GXPN.
  • Red Teaming including, leading a targeted operation (planning, scoping, approval, reconnaissance & discovery, execution of attacks, pivoting, persistence, and remediation).

Required Documents

  • Cover Letter
  • Resume

California applicants, please click here to review the Costco Applicant Privacy Notice.

Apart from any religious or disability considerations, open availability is needed to meet the needs of the business. If hired, you will be required to provide proof of authorization to work in the United States. Applicants and employees for this position will not be sponsored for work authorization, including, but not limited to H1-B visas.

More Information

Apply for this job

Leave your thoughts

Share this job