As part of Bouygues Construction, the mission of BYCN IT is to provide the members of Bouygues Construction with IT services of high quality fitting with their businesses and to deploy solutions to improve communication and people collaboration through worldwide network. BYCN IT has offices in France, Morocco and Vietnam.
Bouygues Construction Information Technologies (BYCN IT) is the IT branch of Bouygues Construction, a global player in the building, civil works, energies and services sectors. Bouygues Construction operates at all points of the value chain of projects: finance, design, construction and facilities management (operation and maintenance). On every continent, our employees devise and develop solutions that help improve the environment and everybody’s lives.
As a Senior Pentester, you will technically lead penetration testing and offensive security engagements to identify, validate and communicate security weaknesses in Bouygues’s information systems (applications, infrastructure, cloud and internet‑facing assets). You focus on hands‑on offensive work and project leadership, while working closely with Security Lead, Blue Team and product/infra teams to reduce real‑world risk.
Job Description
Contribute to building and improving internal tooling, scripts and workflows to automate recurring checks and increase efficiency in offensive activities.
Plan and execute offensive security engagements (campaigns, advanced attack scenarios, adversary emulation) within defined rules of engagement, in coordination with Security Lead and Blue Team.
Lead OSINT and External Attack Surface activities from a technical perspective (asset discovery, exposure analysis, attack path identification), focusing on Bouygues’s internet‑facing assets.
Provide clear, actionable remediation and mitigation guidance to development, infrastructure and product teams; support them in reproducing and fixing issues when needed.
Mentor and support junior/mid level pentesters within engagements (pair testing, review test plans and findings, review reports), while Security Lead remains responsible for people management, career paths and overall practice strategy.
Continuously research new vulnerabilities, techniques, tools and countermeasures relevant to the team’s offensive scope and bring them into daily practice in a pragmatic way.
Perform in‑depth manual testing and exploitation beyond automated scanning: identify complex vulnerabilities, chaining issues into realistic attack paths with clear business impact.
Validate and prioritize vulnerability scanner outputs; distinguish between noise and real risk based on context, exploitability and business criticality.
Act as technical lead for penetration testing projects on web applications, APIs, infrastructure, internal networks and cloud environments: help define scope, choose methodology, execute tests and ensure technical quality of results.
Our Requirements
3–5+ years of hands- on experience in penetration testing and/or offensive security (web/API, infrastructure, internal network and/or cloud).
Strong understanding of core security concepts and methodologies:
Web/API security (OWASP, auth/session, access control, injection, logic flaws).
Network and infrastructure security (network segmentation, AD basics, common protocols)
Exploitation and post- exploitation in controlled environments (privilege escalation, lateral movement, data access within ROE).
Solid experience in:
Designing and executing pentest engagements end- to- end on scope assigned.
Using and combining tools such as nmap, Nessus/Qualys, Burp Suite Pro, custom scripts, etc.
Translating technical findings into clear risk statements and remediation recommendations.
Good knowledge of vulnerability assessment and risk rating:
Understanding scanner findings, context and exploitation hypothesis.
Familiar with CVSS and risk- based prioritization.
Familiarity with security standards and frameworks such as OWASP, CIS Benchmarks, NIST, MITRE ATT&CK.
Experience with OSINT and external attack surface discovery (subdomain enumeration, asset fingerprinting, exposure mapping) is highly valued.
Practical scripting/automation skills (Python, Bash, PowerShell or similar) to:
Build small tools, PoCs, data parsers or automation for repetitive tasks.
Security certifications that reflect hands- on offensive capability (OSCP/OSWE, OSEP, eCPPT, GWAPT or similar) are a strong plus; foundational certs (CEH, Security+, etc.) can be complementary but are not the main differentiator at Senior level.
Nice to have
Experience in bug bounty, exploit development or zero- day research.
Participation in red- team or purple- team exercises alongside Blue Team/ SOC.
Profile & Background
Able to work autonomously on assigned projects, manage own workload, communicate status and blockers clearly to Security Lead and stakeholders.
Broad understanding of security tools (strengths/limitations, when to use what), not just tool- driven testing.
Good understanding of SDLC/Agile/DevOps and how security testing fits into delivery pipelines.
Bachelor’s degree in Computer Science, Information Security, Network Engineering or equivalent practical experience.
Knowledge of testing/audit methodologies (PTES, NIST 800- 115, OWASP Testing Guide, etc.) is a plus.
Strong security expertise across web, infrastructure, network and ideally cloud environments, with the ability to go deep in at least one of them.
General / Soft Skills
Rigorous and quality- focused; strong attention to detail and reproducibility of findings.
Strong analytical and problem- solving mindset; able to design and adapt attack paths based on findings and constraints.
Team- oriented, collaborative; comfortable working closely with other pentesters, Blue Team/SOC, developers and infrastructure teams.
Methodical and organized; able to structure engagements, testing activities and documentation clearly.
Clear written and verbal communication in English; able to explain complex technical issues in an understandable way to different audiences.
Customer/service orientation.
What We Offer?
Professional, Open- minded and Creative Environment:
Great teamwork with Agile mindset.
Strong sharing culture to improve individual development.
Respect different perspectives.
International, friendly, proactive, supportive workplace.
Individual Development:
Online internal learning hub with various categories in software skill, soft skills, language skill.
Extensive training and in- depth knowledge sharing sessions.
Be oriented and empowered for individual, team and organization goals.
Career and personal development plan for each individual.
Special Care for Employee:
Annual teambuilding activities and company trip.
Dell laptop and external monitor for your work.
100% salary on probationary period.
15 annual leave days + 6 sick leave days (plus 1 annual leave day for 3- year working).
Annual health check- up and premium health insurance for employee.
Sport, personal activities sponsor.
Work from home 2 days/ week.
Up to 2- month performance bonus.
