Penetration Tester Resume
Skills & ATS Keywords

Carry roughly 30 to 46 named offensive tools and methodologies on the page: the web proxy you spent the last year inside (Burp Suite Pro with its extensions, or Caido), the C2 framework you ran your last engagement on (Cobalt Strike, Sliver, Mythic, Havoc), the AD-attack tooling that cracked your last domain (BloodHound, Rubeus, Impacket, NetExec, Certify), the cloud-pentest kit you reached for on the last AWS or Azure scope (Pacu, ScoutSuite, MicroBurst, AzureHound), the recon stack (Amass, Subfinder, Shodan, Censys), the scripting languages you write tooling in (Python, PowerShell, C, Go), and the certs that gate offensive-security shortlists (OSCP at minimum, plus OSWE or OSEP at senior tier). Sort it all under 7 to 9 row labels. Below 22 the file reads like a CTF hobbyist; over 50 it reads like a Hack The Box badge wall with no engagement story holding it up. Every chip needs a war-story you can defend on a technical screen: the SSRF chain you escalated to RCE, the unconstrained-delegation path you walked from a low-priv user to Domain Admin, the EDR evasion you wrote when CrowdStrike kept killing your beacon. The row carries the arsenal; engagements led per year, CVEs disclosed, exploit chains demonstrated, and clean reports clients still quote are what prove you actually swung the hammer.

Slot it right after the Profile Summary and ahead of Work Experience. Pentest managers at consultancies and in-house red teams scan a stack of files in single-coffee bursts between client meetings, and the parsers riding the recruiter side of offensive-security pipelines (Greenhouse, Lever, Ashby, Workday) pick up a Burp Suite, Cobalt Strike, or BloodHound token with higher confidence when the chip sits inside a labeled Skills block on the upper half of page one. Bury it on page two and your web-plus-AD-plus-cloud arsenal disappears into prose, the parser misses half the tools, and the engagement bullets lose the keyword echo they need to score. Hold the page to 7 to 9 grouped rows so a pentest lead reads your offensive surface area in one downward sweep before opening the first engagement bullet.

Drop the req into a scratch doc and ring every named web proxy, C2 framework, AD-attack tool, cloud-pentest utility, recon platform, fuzzer, reverse-engineering suite, scripting language, certification, and methodology the posting mentions. Star the names that recur two or three times across the page. Place the starred list beside your Skills rows and check for missing chips. When a tool keeps surfacing in the JD but is absent from your file, fold it onto the matching row only when you can hold a technical screen on it (a Cobalt Strike chip with no malleable-profile story attached gets caught on the first interview), then make sure at least one engagement bullet pins the same product to an engagement count, a chained-exploit outcome, a privilege-escalation path, or a disclosed CVE. Once the rows look right, push the file through an ATS Checker as the closing pass so the parser still reads the labels and the structured fields cleanly without an exotic tool name getting swallowed by the layout.

Pentester is the offensive seat: you sit at a Kali box (or the consultancy equivalent), open Burp Suite, fire BloodHound, write a Cobalt Strike malleable profile, chain a SSRF into a metadata-service abuse into a cross-account IAM takeover, and ship a report that names every chain you walked and every fix the client now owes. The engagement is scoped, the rules of engagement are signed, the goal is finding weaknesses before a real attacker does. Security Engineer is the builder of controls on the other side: a Snyk rollout across product squads, a Wiz deployment across 80 AWS accounts, Okta conditional-access policy authorship, Sigma and KQL detections written for the SIEM, secrets-vault migrations, WAF tuning. SOC Analyst is the operator inside those controls: Splunk and Sentinel alert triage by tier, CrowdStrike RTR sessions, phishing-queue closures, NIST 800-61 IR work, ATT&CK-aligned hunts. If your day is breaking things by contract for a written-up client deliverable, the file belongs in the Pentester pile. If your day is rolling controls or working the alert queue, the Security Engineer or SOC Analyst guides are the right destination. Trying to wear all three hats on one resume thins the offensive evidence a pentest hiring panel reads the page for.

OSCP from Offensive Security is the field's entry filter: most pentest reqs in 2026 list it as required or strongly preferred at the L1 and L2 chair, and HR routes the resume through it before a hiring manager ever sees the page. OSWE (Offensive Security Web Expert) carries the web-app pentest specialization and pairs naturally with a Burp Suite plus source-code-assisted bullet. OSEP (Offensive Security Experienced Pentester) is the AV/EDR evasion and lateral-movement credential most senior pentest hiring leads check for at L3, because it maps onto custom-loader and AMSI-bypass work on the page. OSED (exploit dev) and OSCE3 sit at the principal tier where binary exploitation and custom implant authorship are on the daily ladder. CRTO (Certified Red Team Operator) from Zero Point Security has gained ground for adversary-simulation chairs and pairs cleanly with a Cobalt Strike engagement bullet. GPEN, GWAPT, and GXPN from SANS hold weight in federal and large-bank pipelines where the rest of the team carries GIAC credentials. List the credentials on a single Certifications row near Education, name the issuing body (Offensive Security, Zero Point, SANS, eLearnSecurity), and leave any in-progress lines off the page unless the sit date is locked.

Yes, on both counts, with caveats. Disclosed CVEs are one of the cleanest signals a pentest hiring panel reads on the page: a CVE ID, the affected vendor and product version, the bug class (SSRF, deauth, deserialisation, auth bypass), and the disclosure date carry weight that no skills chip can replicate. List two to five of the highest-impact CVEs in a dedicated Disclosures row near Education or inside the Profile Summary; skip the laundry-list of low-severity self-XSS reports. Bug-bounty findings on HackerOne, Bugcrowd, Intigriti, or Synack carry similar weight when the program names are real and the payout band is named, but treat the row as a depth signal rather than a substitute for client engagement work. A senior pentest panel reads the disclosure pair (CVE plus bounty) as proof that the offensive intuition holds up outside a scoped client environment; what closes the panel is the engagement record on the work-history side of the page.

Six number families do the heavy lifting on a 2026 Penetration Tester page. Engagements led per year with the scope split named (lead tester on 40 web-app, 8 AD, and 4 cloud assessments across 22 client engagements over the past year). Domain-compromise success rate on internal scopes (full-domain compromise on 22 of 25 internal pentests via Kerberoasting, AS-REP roasting, and ADCS ESC1 abuse). High-and-critical findings shipped with the chained-issue count (delivered 180 high or critical Burp findings, including 5 multi-issue chains walked from a low-impact SSRF to RCE on the largest target). CVEs disclosed against vendor products with the ID and bug class named (disclosed CVE-2025-XXXX through CVE-2025-XXXX against a vendor product chain covering deserialisation, IDOR, and auth-bypass classes). AV/EDR evasion runs landed against named products (evaded CrowdStrike Falcon and SentinelOne on 14 of 16 red-team engagements via custom Nim loaders, direct syscalls, and AMSI plus ETW patching). Report-cycle outcome with the remediation-pass rate (retested 60 high or critical findings after client fix windows with an 88 percent first-pass pass rate). Bare numbers stripped of a tool, a vendor, a CVE ID, or a chain context land as filler in 2026; a credible bullet pins one or two of those figures to a named offensive product and a real engagement outcome.