General Info
1. Department: Information Security & BCM
2. WorktimePercentage: 100%
3. Location: Geneva (preferred), Zurich or Lugano
Our Company
EFG International is a global private banking group, offering private banking and asset management services. We serve clients in over 40 locations worldwide. EFG International offers a stimulating and dynamic work environment and strives to be an employer of choice.
EFG is committed to providing an equitable and inclusive working environment that is founded on the principle of mutual respect. Joining our team means experiencing a supportive environment, where your contributions are valued and recognised. We strongly believe that the diversity of our teams gives us a competitive advantage by fostering better decision-making and greater innovation.
Our Purpose and Mission
Empowering entrepreneurial minds to create value – today and for the future.
We are a private bank, offering personalised solutions on a global scale to private and institutional clients. Our sustainable success is based on our talents and on how we partner with our clients and communities to create lasting value.
Job Description
Context - The Information Security & BCM, under the lead of the Group Chief Information Security Officer (CISO) and part of the Chief Operating Officer (COO) organization, defines, leads, and coordinates information security efforts across EFG International and its entities globally. It outlines the information security strategy, identifies, and runs security initiatives and sets standards.
To support the ICT Risk Management Framework, in compliance with regulatory requirements (FINMA, DORA and relevant financial-sector regulations), we are looking for a Cybersecurity Intermal Penetration Tester.
The successful candidate will be responsible for performing ongoing, in-house offensive security assessments of the Bank’s infrastructure, applications and controls.
This role combines hands-on technical experience conducting penetration testing and simulating real-world attacks exercises on corporate environments, with close collaboration with Security, IT, development and risk teams to proactively identify, exploit and advise on the remediation of vulnerabilities in critical banking systems.
Key responsibilities include:
4. Plan, scope and execute internal penetration tests on core banking platforms and business applications, with a strong focus on services supporting critical and important functions
5. Design test scenarios aligned with realistic baking threat models (fraud, data exfiltration, privilege escalation, lateral movements to critical systems,…) and internal risk assessments
6. Execute hands-on tests against internal networks, servers, endpoints, web applications, APIs, cloud workloads, AD and other core infrastructure systems
7. Document findings in clear, risk-based reports with evidence and actionable remediation guidance for technical and non-technical audiences
8. Work closely with infrastructure, development, DevOps and risk teams to support remediation plans and re-testing, ensuring critical findings are tracked to closure within the ICT risk and governance processes.
9. Develop and maintain internal testing methodologies, playbooks and tools to support repeatable and efficient assessments
10. Collaborate with SOC on purple-team style exercises to test and improve detection and response capabilities
11. Stay current on emerging threats, vulnerabilities, TTPs, etc, and incorporate into internal testing
Skills and experience
12. Background in cybersecurity, computer science, or related fields
13. 3-5 years of hands-on penetration testing or red-team experience, with demonstrable work on internal network, web applications and API; banking or financial services experience is a strong plus
14. Strong understanding of network protocols, operating systems (Windows, Linux), web and cloud technologies; familiarity with core banking architectures is a plus
15. Proficiency with common offensive tools and techniques (. Burp Suite, Metasploit, Cobalt Strike-like frameworks, Kali-based tooling) and ability to perform manual testing beyond tools
16. Solid knowledge of secure coding concepts and common application vulnerabilities (. OWASP Top 10) to assess web and API targets
17. Professional certifications such as OCSP, GXPN, or similar offensive security credentials in good standing
18. Strong communication skills and ability to explain complex technical findings to technical and non-technical audience
Our Values
19. Accountability: Taking ownership for tasks and challenges, as well as seeking continuous improvement
20. Hands-on: Being proactive to rapidly deliver high-quality results
21. Passionate: Being committed and striving for excellence
22. Solution-driven: Focusing on client outcomes and treating clients fairly with a risk-aware mindset
23. Partnership-oriented: Promoting collaboration and teamwork. Working together with an entrepreneurial spirit.
Application
Please ensure to attach a cover letter to your CV when filling the application.