Bouygues Construction Information Technologies (BYCN IT) is the IT branch of Bouygues Construction, a global player in the building, civil works, energies and services sectors. Bouygues Construction operates at all points of the value chain of projects: finance, design, construction and facilities management (operation and maintenance). On every continent, our employees devise and develop solutions that help improve the environment and everybody’s lives.
Job Description
In the role of a Senior Penetration Tester, you will technically lead penetration testing and offensive security engagements to identify, validate and communicate security weaknesses in Bouygues’s information systems (applications, infrastructure, cloud and internet‑facing assets). You focus on hands‑on offensive work and project leadership, while working closely with Security Lead, Blue Team and product/infra teams to reduce real‑world risk.
As part of Bouygues Construction, the mission of BYCN IT is to provide the members of Bouygues Construction with IT services of high quality fitting with their businesses and to deploy solutions to improve communication and people collaboration through worldwide network. BYCN IT has offices in France, Morocco and Vietnam.
Plan and execute offensive security engagements (campaigns, advanced attack scenarios, adversary emulation) within defined rules of engagement, in coordination with Security Lead and Blue Team.
Contribute to building and improving internal tooling, scripts and workflows to automate recurring checks and increase efficiency in offensive activities.
Lead OSINT and External Attack Surface activities from a technical perspective (asset discovery, exposure analysis, attack path identification), focusing on Bouygues’s internet‑facing assets.
Validate and prioritize vulnerability scanner outputs; distinguish between noise and real risk based on context, exploitability and business criticality.
Mentor and support junior/mid level pentesters within engagements (pair testing, review test plans and findings, review reports), while Security Lead remains responsible for people management, career paths and overall practice strategy.
Perform in‑depth manual testing and exploitation beyond automated scanning: identify complex vulnerabilities, chaining issues into realistic attack paths with clear business impact.
Provide clear, actionable remediation and mitigation guidance to development, infrastructure and product teams; support them in reproducing and fixing issues when needed.
Continuously research new vulnerabilities, techniques, tools and countermeasures relevant to the team’s offensive scope and bring them into daily practice in a pragmatic way.
Act as technical lead for penetration testing projects on web applications, APIs, infrastructure, internal networks and cloud environments: help define scope, choose methodology, execute tests and ensure technical quality of results.
OUR REQUIREMENTS:
Cybersecurity Skills & Experience
3–5+ years of hands‑on experience in penetration testing and/or offensive security (web/API, infrastructure, internal network and/or cloud).
Strong understanding of core security concepts and methodologies:
Web/API security (OWASP, auth/session, access control, injection, logic flaws).
Exploitation and post‑exploitation in controlled environments (privilege escalation, lateral movement, data access within ROE).
Network and infrastructure security (network segmentation, AD basics, common protocols).
Solid experience in:
Using and combining tools such as nmap, Nessus/Qualys, Burp Suite Pro, custom scripts, etc.
Translating technical findings into clear risk statements and remediation recommendations.
Designing and executing pentest engagements end‑to‑end on scope assigned.
Good knowledge of vulnerability assessment and risk rating:
Understanding scanner findings, context and exploitation hypothesis.
Experience with OSINT and external attack surface discovery (subdomain enumeration, asset fingerprinting, exposure mapping) is highly valued.
Familiar with CVSS and risk‑based prioritization.
Familiarity with security standards and frameworks such as OWASP, CIS Benchmarks, NIST, MITRE ATT&CK.
Practical scripting/automation skills (Python, Bash, PowerShell or similar) to:
Build small tools, PoCs, data parsers or automation for repetitive tasks.
Security certifications that reflect hands‑on offensive capability (OSCP/OSWE, OSEP, eCPPT, GWAPT or similar) are a strong plus; foundational certs (CEH, Security+, etc.) can be complementary but are not the main differentiator at Senior level.
Nice to have
Participation in red‑team or purple‑team exercises alongside Blue Team/SOC.
Experience in bug bounty, exploit development or zero‑day research.
Profile & Background
Strong security expertise across web, infrastructure, network and ideally cloud environments, with the ability to go deep in at least one of them.
Good understanding of SDLC/Agile/DevOps and how security testing fits into delivery pipelines.
Broad understanding of security tools (strengths/limitations, when to use what), not just tool‑driven testing.
Knowledge of testing/audit methodologies (PTES, NIST 800‑115, OWASP Testing Guide, etc.) is a plus.
Able to work autonomously on assigned projects, manage own workload, communicate status and blockers clearly to Security Lead and stakeholders.
Bachelor’s degree in Computer Science, Information Security, Network Engineering or equivalent practical experience.
General / Soft Skills
Strong analytical and problem‑solving mindset; able to design and adapt attack paths based on findings and constraints.
Team‑oriented, collaborative; comfortable working closely with other pentesters, Blue Team/SOC, developers and infrastructure teams.
Rigorous and quality‑focused; strong attention to detail and reproducibility of findings.
Methodical and organized; able to structure engagements, testing activities and documentation clearly.
Clear written and verbal communication in English; able to explain complex technical issues in an understandable way to different audiences.
Customer/service orientation:
- Open‑minded, eager to learn and share knowledge, receptive to feedback and peer review.
- Understands business processes and constraints behind systems under test.
- Helps stakeholders make informed decisions by focusing on realistic risk and feasible remediation options.
OUR BENEFITS:
Professional, Open- minded and Creative Environment:
Strong sharing culture to improve individual development.
Great teamwork with Agile mindset.
International, friendly, proactive, supportive workplace.
Respect different perspectives.
Individual Development
Be oriented and empowered for individual, team and organization goals.
Career and personal development plan for each individual.
Extensive training and in- depth knowledge sharing sessions.
Online internal learning hub with various categories in software skill, soft skills, language skill.
Special Care for Employee
Dell laptop and external monitor for your work.
Annual health check- up and premium health insurance for employee.
100% salary on probationary period.
Sport, personal activities sponsor.
Work from home 2 days/ week.
Up to 2- month performance bonus.
Annual teambuilding activities and company trip.
15 annual leave days + 6 sick leave days (plus 1 annual leave day for 3- year working).
