Penetration Tester
Resume Template

A free Penetration Tester resume, pre-filled and ready to edit. Replace the highlighted placeholders (recon stack, exploitation frameworks, C2 tooling, AD-attack paths, cloud-pentest tools, engagement counts and impact metrics) using the side panel on the left, and the resume rewrites itself as you type. Save as PDF when you're done.

Emmanuel Gendre - Former Google Recruiter and Tech Resume Writer

Authored by

Emmanuel Gendre

Tech Resume Writer

Last updated: May 11th, 2026 | Free, ATS-friendly, no signup

Interactive resume template generator

Interactive Penetration Tester Resume Template

Edit the side panel. The resume rewrites itself live. Save as PDF when you're done.

Edits update live as you type. Toggle Edit to rewrite paper text directly.

Edit mode is on. Click anywhere on the resume to rewrite text. Side-panel placeholders still update live.

Riley Park Senior Penetration Tester

Seattle, WA pentester@gmail.com +1 206-555-0177

Profile Summary

  • Senior Penetration Tester with 7 years of experience running offensive security consulting engagements across fintech, SaaS, and federal contractor environments, specializing in red team operations, web application testing, and Active Directory exploitation.
  • Hands-on coverage across reconnaissance (Amass), vulnerability scanners (Burp Suite Pro, Nessus), C2 frameworks (Cobalt Strike, Sliver), AD exploitation (BloodHound, Mimikatz), and scripting (Python, PowerShell) with strong fundamentals in MITRE ATT&CK mapping, OPSEC discipline, and audit-ready engagement reporting.
  • Deep expertise in objective-based red team operations, TTP-driven adversary emulation, manual exploitation rigor beyond scanner output, and stealth and OPSEC discipline, leveraging methodologies such as MITRE ATT&CK-aligned engagement plans and purple-team debrief cycles to drive findings that map to real business risk and drive measurable security improvements.
  • Engaged collaborator working closely with client blue teams, Detection Engineering, and AppSec partners in PTES- and OSSTMM-aligned engagements, contributing to scoping calls, retest cycles, and purple-team debriefs with a calm, evidence-first temperament.
  • Emerging leader who shares technical excellence and fosters a culture of report clarity and reproducible proof-of-exploit through peer report reviews and tooling sessions, while leading internal red-team craft sessions and authoring widely used playbook and report templates.

Technical Skills

Recon & OSINT:
Amass, Subfinder, Recon-ng, Maltego, theHarvester, Shodan, Censys, GitHub dorking
Web App & API Testing:
Burp Suite Pro, OWASP ZAP, Caido, sqlmap, ffuf, dirsearch, OWASP Top 10, API pentest
Network & AD Pentest:
Nessus, Nmap, Impacket, NetExec (CrackMapExec), Responder, BloodHound, Rubeus, Kerberoasting
Cloud & Mobile Testing:
Pacu, ScoutSuite, Prowler, CloudGoat, MobSF, Frida, Objection, AWS / Azure / GCP IAM
C2 & Exploit Frameworks:
Cobalt Strike, Sliver, Mythic, Havoc, Metasploit, Brute Ratel C4 (familiarity)
Post-Exploitation & Evasion:
Mimikatz, Rubeus, SharpHound, Certify, Seatbelt, Process Hollowing, AMSI/ETW bypass
Frameworks & Methodology:
MITRE ATT&CK, OWASP WSTG, PTES, NIST 800-115, OSSTMM, CVSS v3.1, OSCP, OSEP
Languages & Scripting:
Python, PowerShell, C#, Go, Bash, Ruby, x86/x64 assembly (basic)

Education

University of Washington B.S. in Computer Science, concentration in Computer Security
Seattle, WA Sep 2015 - Jun 2019

Work Experience

Bishop Fox Senior Penetration Tester
Seattle, WA Apr 2022 - Present
  • Led red team and adversary emulation engagements for Fortune 500 and high-growth SaaS clients across 3- to 12-week engagements, covering internal Active Directory, external infrastructure, and cloud and web surfaces across 40+ red team and full-scope engagements.
  • Drove web application and API penetration testing across 60+ web app and API assessments on Burp Suite Pro, working full OWASP Top 10 coverage, SSRF, IDOR, and business-logic exploit chains, and authenticated and unauthenticated Burp scans backed by manual review, delivering 180+ confirmed high or critical findings.
  • Owned internal network and Active Directory penetration testing using BloodHound, Mimikatz, and Impacket to execute Kerberoasting and AS-REP roasting, BloodHound attack-path analysis, NTLM relay and coerced-auth abuse, and Constrained Delegation exploitation, compromised the domain on 22 of 25 internal engagements.
  • Built reconnaissance and OSINT-driven attack-surface mapping on Amass and Shodan, running DNS and subdomain enumeration at scale, leaked-credential pivoting via public dumps, and employee and infrastructure profiling, surfaced shadow IT and forgotten assets in 70% of external engagements.
  • Executed post-exploitation, lateral movement, and privilege escalation through Mimikatz credential extraction, Golden and Silver Ticket forging, and pivoting through tiered admin networks, reached crown-jewel data stores in 18 engagements.
  • Stood up command-and-control infrastructure and custom tooling using Cobalt Strike beacons with malleable C2 profiles, Sliver implants for OPSEC-sensitive operations, and custom Python and C# loaders with AMSI and ETW bypass, evaded CrowdStrike and SentinelOne EDR detection across 14 engagements.
  • Delivered cloud, mobile, and specialized assessments across AWS, Azure, and GCP estates, exercising IAM privilege escalation, S3 and blob misconfiguration hunting, and metadata service abuse, delivered 14 cloud and 6 mobile assessments.
NCC Group Penetration Tester
Seattle, WA Jul 2019 - Mar 2022
  • Ran the vulnerability assessment and safe exploitation engagements across 90+ vulnerability assessments combining Nessus and Nuclei automated scanning, manual validation beyond scanner output, and safe exploitation to demonstrate real impact, delivering 220+ validated vulnerabilities with CVSS-scored impact.
  • Designed and executed social engineering and phishing campaigns across 16 multi-channel campaigns including phishing email crafting with custom infrastructure, vishing and pretexting call scripts, and physical and badge-cloning assessments, achieving 28% click and 14% credential capture across the program.
  • Authored client engagement reports and remediation guidance including executive summaries written for non-technical readers, CVSS-scored technical detail per finding, proof-of-exploit screenshots and commands, and prioritized remediation roadmaps partnering with client AppSec, IT, and Detection Engineering across 22 client engagements, validated fixes through retesting on 60+ high/critical findings and onboarding 3 junior pentesters.

Done editing? Download as a real, vector PDF. Selectable text, ATS-friendly, US Letter format.

About this template

A Penetration Tester
Resume Template, by an Offensive Security Resume Writer.

Bit of background: 12 years of recruiting experience, including many years at Google, and these days I run an offensive security resume writer service for IT and security candidates. Penetration Tester and ethical hacker rewrites come through every couple of weeks. Red team and pentest hiring is one of the chunkier funnels I see. So when I tell you what works on a pentest CV, it's from screening these resumes on the recruiter side, not from a SANS deck or a Twitter thread.

Most folks who land here go for the full custom rewrite. We sit down with the actual engagements you ran, the domain controllers you owned, the web chains you delivered, the C2 you authored, the report findings clients still quote from. Sometimes that's a heavier lift than you need. If a clean skeleton with red-team and ethical-hacker shaped placeholders is the missing piece, this template covers it. ATS-clean, free, no signup. Try it out.

How it works

How to use this template
to write a Penetration Tester resume

The structure here was written by a former Google recruiter. The placeholders push you to be specific exactly where it matters: tooling, the attack surface, the practice behind the work, and engagement outcomes.

Strong pentest bullets aren't typed out in one go. They build in five layers. Layer one names the action. Layers two and three add the tooling you used and the attack surface you hit. Layer four shows the practice (the TTP, the chain, the methodology). Layer five quantifies what changed for the client. Bullets that complete layer five are the ones an offensive-security hiring manager flags for the phone screen. The framework lives in How to Write Bullet Points for Tech Resumes.

  1. 01 Task What you did
  2. 02 Tools Burp, Cobalt Strike, BloodHound
  3. 03 Surface Web, AD, cloud, infra
  4. 04 TTP Kerberoast, SSRF, lateral
  5. 05 Metric Quantified impact

This template bakes the five layers straight into your bullets so the framework runs in the background. The side panel lines up clean: scanner and C2 picks feed layer 2, the engagement-scope and surface fields feed layer 3, the attack-pattern fields feed layer 4, the count and rate inputs land at layer 5. The sentence skeletons cover layer 1. Why this matters: you only have to drop in real tools and real numbers. The structure does the rest, and the resume reads at layer 5.

  1. Pick your stack

    Tap a chip to swap Burp Suite for OWASP ZAP, Cobalt Strike for Sliver or Mythic, BloodHound for NetExec or Rubeus, Python for PowerShell or C#. Every mention updates at once.

  2. Drop in your numbers

    Engagement counts, web/api findings, domain compromise rates, crown-jewel reach, EDR evasion, phish click and credential capture rates. Don't have yours yet? The defaults pass for a senior pentest resume.

  3. Save as PDF

    Click Download. The page generates a real vector PDF with selectable text and clean US Letter formatting. ATS-parsable.

Resume Sample

Penetration Tester Resume Examples

Three sample penetration tester resumes at different career stages: a junior OSCP-certified pentester at an MSSP, a senior IC at a boutique appsec consultancy, and a lead red-teamer at a major cyber firm. Use them as inspiration when filling the template above.

Entry-level Pentester Resume Sample 2 years

Junior Penetration Tester Resume Example

New grad with OSCP. Runs internal-network and web-app engagements at an MSSP under senior team-lead supervision.

Jonas Lindberg

Junior Penetration Tester

Atlanta, GA · jonas.lindberg@gmail.com · +1 404-555-0156 · linkedin.com/in/jonaslindberg

Profile Summary
  • Junior Penetration Tester with 2 years of experience running internal-network and web-app engagements at an MSSP, under senior team-lead supervision and with OSCP certification.
  • Hands-on coverage across Kali Linux, Burp Suite Pro (basic), Nmap, Metasploit, BloodHound, mimikatz, and Wireshark, with a working knowledge of the OWASP Top 10.
  • Documented 30 to 60 findings per quarter with reproducible payloads, evidence screenshots, and CVSS scoring; contributes to client retest cycles under senior review.
  • Active in the security community via HackTheBox and TryHackMe; authored 14 hands-on rooms as a TryHackMe Content Author before joining NCC Group.
Technical Skills
Offensive Tooling:
Kali Linux, Burp Suite Pro (basic), Nmap, Metasploit, Nessus, Nikto, Gobuster
Active Directory:
BloodHound, mimikatz, CrackMapExec, Responder, basic Kerberoasting + AS-REP roasting
Web Application:
OWASP Top 10, Burp Repeater + Intruder, basic JWT + OAuth abuse
Network & Protocol:
Wireshark, tcpdump, basic SMB / LDAP / Kerberos analysis
Scripting:
Python (basic), Bash, PowerShell (read), Git
Red-Team Adjacent:
Cobalt Strike (familiarity), HackTheBox, TryHackMe, OSCP labs
Certifications:
Offensive Security Certified Professional (OSCP, 2023)
Education
Georgia State University B.S. in Cybersecurity Atlanta, GA · Sep 2019 - May 2023
Work Experience
NCC Group Junior Penetration Tester Atlanta, GA · Aug 2023 - Present
  • Tested 18 web-app and internal-network engagements as test-lead-junior under a senior supervisor, covering financial-services and SaaS clients.
  • Documented 46 findings across the past 4 quarters, with reproducible payloads, CVSS v3.1 scoring, and remediation guidance reviewed by the senior team lead.
  • Ran BloodHound + mimikatz chains on 9 internal AD engagements, surfacing 12 Kerberoasting vectors and 4 unconstrained-delegation paths.
  • Authored 3 client retests end-to-end after senior sign-off, validating remediation for 22 issues and contributing to NCC's retest standards.
  • Contributed to internal training: rebuilt the OWASP Top 10 lab for new-hire onboarding using HackTheBox-style boxes and Burp Suite walkthroughs.
TryHackMe Content Author (Contract) Remote · Jun 2022 - Jul 2023
  • Authored 14 hands-on TryHackMe rooms covering Active Directory, web-app exploitation, and Linux privilege escalation, used by 40,000+ learners.
  • Built 6 OSCP-style boxes with multi-step exploit chains, peer-reviewed by the TryHackMe content team.
  • Earned OSCP while authoring rooms; documented exam prep methodology in a blog series with 22,000+ reads.

Senior Pentester Resume Sample 7 years

Senior Penetration Tester Resume Example

Senior IC at a boutique pentest consultancy. Specializes in source-assisted application security and cryptographic review.

Camille Robert

Senior Penetration Tester

New York, NY · camille.robert@gmail.com · +1 212-555-0181 · linkedin.com/in/camillerobert

Profile Summary
  • Senior Penetration Tester with 7 years of experience leading source-assisted application security and cryptographic review engagements at boutique consultancies, specializing in OWASP ASVS Level 3, MASTG, and TLS / PKI review.
  • Hands-on coverage across Burp Suite Pro (with custom extensions), Frida, Ghidra, IDA Pro, AFL++, libFuzzer, and Python + Rust for PoCs and tooling.
  • Deep expertise in cloud-attack patterns on AWS and Azure (IAM privilege escalation, federated-identity abuse, KMS misuse) and side-channel-analysis introductions against TLS and RFC-compliance review.
  • Cross-functional collaborator partnering with client engineering, cryptography, and product teams; authors 80 to 120 high-quality findings per year with detailed remediation guidance.
  • Mentors 3 junior testers, runs internal craft sessions on fuzzing and source-assisted review, and authored 2 firm-level methodology RFCs.
Technical Skills
Web & API:
Burp Suite Pro + custom Burp extensions, OWASP ASVS Level 3, GraphQL abuse, OAuth + OIDC review
Mobile & Binary:
Frida, OWASP MASTG, Ghidra, IDA Pro, basic reversing on ARM64 + x86_64
Cryptography & PKI:
TLS / PKI review, RFC-compliance audit, basic side-channel analysis intro, JWT + JOSE review
Fuzzing & Source Review:
AFL++, libFuzzer, Semgrep, CodeQL, source-assisted application security review
Cloud Attack:
AWS attack patterns (IAM, STS, KMS), Azure attack patterns (Entra ID, Managed Identities)
Scripting & Tooling:
Python (advanced), Rust (PoCs + tooling), Bash, Git
Certifications:
OSCP, OSWE, GWAPT
Education
Rensselaer Polytechnic Institute M.S. in Computer Security Troy, NY · Sep 2016 - May 2018
Rensselaer Polytechnic Institute B.S. in Computer Science Troy, NY · Sep 2012 - May 2016
Work Experience
Trail of Bits Senior Penetration Tester New York, NY · Jul 2022 - Present
  • Owned 24 senior-lead engagements covering source-assisted appsec, cryptographic review, and TLS / PKI audits for fintech, blockchain, and SaaS clients.
  • Authored 110 high-quality findings with reproducible PoCs in Python and Rust, including 6 RFC-compliance findings against client TLS stacks.
  • Built 4 custom Burp extensions in Java + Python for client-specific GraphQL and JWT review, adopted across the senior testing pod.
  • Led fuzzing harnesses with AFL++ and libFuzzer on 3 client cryptographic libraries, surfacing 17 memory-safety findings including 2 with CVE assignment.
  • Led 5 client retest cycles end-to-end, validating remediation for 62 findings and authoring formal sign-off letters.
  • Mentors 3 junior testers through engagement shadowing and report reviews; authored 2 RFCs that codified the firm's source-assisted review methodology.
Praetorian Penetration Tester Austin, TX · Jul 2018 - Jun 2022
  • Ran 60+ web-app, mobile, and cloud engagements, advancing from associate to senior tester over 4 years on financial-services and healthcare accounts.
  • Specialized in AWS attack chains: documented 14 IAM privilege-escalation paths and 9 KMS misuse patterns across client environments.
  • Built Python + Rust tooling for OWASP ASVS Level 3 evidence capture, cutting report-writing time by 35% on appsec engagements.
  • Mentored 4 associate testers through OSCP and OSWE prep, contributing to 6 hiring loops as a senior interviewer.

Lead Pentester Resume Sample 11 years

Lead Penetration Tester Resume Example

Lead red-teamer at a major cyber firm. Manages 5 operators and the firm's adversary-simulation methodology.

Devon Carter

Lead Penetration Tester

Arlington, VA · devon.carter@gmail.com · +1 703-555-0194 · linkedin.com/in/devoncarter

Profile Summary
  • Lead Penetration Tester with 11 years of experience running adversary-simulation programs for financial-services and federal clients, specializing in Cobalt Strike, Sliver, MITRE ATT&CK, TIBER-EU, and CBEST.
  • Hands-on coverage across advanced Active Directory and Kerberos attacks (Constrained Delegation, Resource-Based CD, PetitPotam), AD CS ESC1-ESC11 chains, and cloud red-team for AWS, Azure, and GCP.
  • Deep expertise in custom-implant development in Nim, Rust, and C++, plus purple-team coordination with client SOC and detection-engineering teams.
  • Lead engineer managing 5 operators, owning the firm's adversary-simulation methodology, and authoring firm-level methodology RFCs.
  • Trusted advisor delivering executive client briefings on red-team outcomes, MITRE ATT&CK coverage, and detection-gap remediation roadmaps.
Technical Skills
C2 & Red-Team Ops:
Cobalt Strike, Sliver, Mythic, Empire (deprecated knowledge), custom C2 development
Adversary Simulation:
MITRE ATT&CK, TIBER-EU, CBEST, threat-intel-led scenario design, purple-team coordination
Active Directory:
Constrained Delegation, Resource-Based CD, PetitPotam, ADCS ESC1-ESC11, BloodHound, mimikatz
Cloud Red-Team:
AWS (IAM, STS, organizations), Azure (Entra ID, Managed Identities), GCP (workload identity)
Implant Development:
Nim, Rust, C++, syscall + direct-syscall implementations, EDR evasion research
Detection Engineering:
Sigma, KQL, Splunk SPL, detection-gap analysis, purple-team replay
Leadership:
Operator management, methodology RFCs, executive briefings, hiring loops
Certifications:
OSCP, OSEP, OSED, CRTO, CRTL
Education
Carnegie Mellon University M.S. in Information Security Pittsburgh, PA · Sep 2012 - May 2014
University of Pittsburgh B.Sc. in Computer Science Pittsburgh, PA · Sep 2008 - May 2012
Work Experience
CrowdStrike Red Team Services Lead Penetration Tester Arlington, VA · Apr 2021 - Present
  • Lead for the financial-services red-team practice, managing 5 operators and delivering 22 full-scope red-team engagements per year against Tier-1 banks and trading firms.
  • Owned the firm's adversary-simulation methodology aligned to MITRE ATT&CK, TIBER-EU, and CBEST, with versioned playbooks adopted by 3 regional pods.
  • Drove custom-implant development in Nim and Rust, authoring 4 EDR-evasion implants with direct-syscall and unhooking techniques, peer-reviewed by the firm's research team.
  • Built the AD CS ESC1-ESC11 attack playbook, used across 14 engagements in the past 18 months with 11 successful Domain Admin paths.
  • Defined the firm's Red-Team RFC process, shepherding 9 methodology RFCs through review and adoption; chairs the bi-weekly Red-Team Tradecraft forum.
  • Delivers executive client briefings for 8 Tier-1 financial-services clients per year, including detection-gap roadmaps and purple-team replay sessions with client SOC.
  • Mentors 5 operators through senior and principal trajectories; led 12 hiring loops and authored the firm's red-team onboarding curriculum.
IBM X-Force Red Senior Penetration Tester New York, NY · Jul 2014 - Mar 2021
  • Ran 70+ red-team and pentest engagements, advancing from associate to senior lead over 7 years on financial-services, federal, and healthcare accounts.
  • Led 18 TIBER-EU-aligned engagements against European banks, partnering with threat-intel teams on scenario design and exec-level reporting.
  • Built X-Force Red's Cobalt Strike + Sliver C2 infrastructure, with domain-fronting, redirector hardening, and per-engagement profile generation.
  • Mentored 6 mid-level operators, ran the bi-weekly red-team craft session, and contributed to 8 hiring loops as a senior interviewer.

Frequently asked

Your Questions about the Penetration Tester Resume Template, Answered

Yes, fully free. There is no signup, no email wall, no paid tier. Open the page, replace the placeholders with your real engagements, save the PDF, and you are out.

Yes. The exported PDF stays single-column, with the section headers any ATS already understands (Profile Summary, Technical Skills, Education, Work Experience). No tables, no images, no two-column tricks. Workday, Greenhouse, and iCIMS read it cleanly. If you want a second opinion on the export, drop it into our ATS Checker.

You can. Press Edit at the top of the preview and click into any sentence on the paper to type over it. The side-panel placeholders keep updating; everything else is plain editable text you can rewrite freely.

Hit Download. The browser builds the PDF on the spot, no print dialog, no signup, no server in the loop. The output is real vector text on US Letter, parsed by ATS systems exactly the same way they parse any clean resume export.

Yes. The defaults lean Cobalt Strike + Sliver + Burp Suite Pro + BloodHound + Mimikatz because that is the most common 2026 senior pentest stack, but every reference is a placeholder. Use the chips to swap Cobalt Strike for Sliver, Mythic, or Havoc. Swap Burp Suite for OWASP ZAP. Swap Nessus for Nuclei or Qualys. Swap Python for PowerShell, C#, Go, or Ruby. The side panel rewrites the resume across every mention.

Penetration Tester leans offensive: recon and OSINT, exploitation, web and network pentest, red team operations, AD compromise, C2 and custom tooling, cloud and mobile testing, plus engagement reporting. The SOC Analyst template leans defensive: SIEM-driven alert triage, EDR investigation, phishing analysis, detection engineering, incident response. If your day is running engagements and writing report findings, pick this one. If your day is triaging alerts and tuning detections, the SOC Analyst template fits better.

No. Pentest hiring managers screen on substance: the engagements you actually ran, the domain controllers you popped, the web findings you chained, the C2 you wrote, the reports clients quoted from. Layout origin is not on the rubric. What does cost interviews is a template padded with vague offensive-security buzzwords, which this one is shaped to prevent. The skeleton came from a former Google recruiter; the substance is yours.

Why trust this template

Emmanuel Gendre, former Google recruiter and tech resume writer

Emmanuel Gendre

Former Google recruiter · Tech resume writer

I built this Penetration Tester template from the patterns I saw work, not from generic advice. Below is the data behind every bullet, skills line, and metric placeholder.

  • Experience Hundreds of Penetration Tester resumes screened across offensive security consultancies, in-house red teams, MSSPs, and federal contracting shops during my Google recruiter years and at TechieCV. The Profile Summary and Skills sections mirror what survived the 6-second screen on an offensive-security recruiter's desk.
  • Expertise Bullets modeled on senior offers. The Bishop Fox section is structured the way Senior and Lead Penetration Testers / Red Team Operators write their experience when they land top-tier offensive-security and in-house red team interviews: engagement-type ownership, web depth, AD compromise rates, post-exploit reach, custom C2 work, and cloud-pentest delivery.
  • Trust Stack reflects the 2026 hiring bar. Burp Suite Pro + Nessus + Cobalt Strike + Sliver + BloodHound + Mimikatz + Impacket + Amass is what hiring managers expect today; suggestion chips cover realistic alternatives (OWASP ZAP, Caido, Nuclei, Mythic, Havoc, NetExec, Rubeus, Subfinder, Recon-ng) so you can match your real toolchain without losing keyword fit.
Read my full story →

Filled the template? Get a recruiter's eyes on it.

The template gives you a recruiter-vetted skeleton. The next step is making sure your specific engagements, findings, and stack hold up under a 6-second screen.

Free, personally reviewed within 12 hours by a former Google recruiter.

Get a Free Resume Review today

I review personally all resumes within 12 hrs

PDF, DOC, or DOCX · under 5MB

Want to read more first? See how the resume review works →

Browse all templates

Every role, organized by family.

Same editor, same export, tailored to each role. Switch templates anytime.

Software Engineering 6 templates
Front-End Developer React Developer Back-End Engineer Full-Stack Developer Embedded SWE Software Architect
Data, ML & AI 5 templates
Data Analyst Data Engineer Data Scientist ML Engineer AI Engineer
Cloud, DevOps & SRE 4 templates
DevOps Engineer Cloud Engineer SRE Infrastructure Engineer
IT & Networking 2 templates
SysAdmin Network Engineer
CyberSecurity 3 templates
SOC Analyst Penetration Tester GRC Analyst
Product & Programs 2 of 5
Product Manager Business Analyst Program Manager UX/UI Designer Engineering Manager

Disclaimer. This template is a starting point. Defaults are illustrative; replace every metric and tool with values that reflect your real work. Tailor wording to each job description.