Senior AI Penetration Tester (New York)

As a leading, global financial information services provider, Fitch Group delivers vital credit and risk insights, robust data, and dynamic tools to champion more efficient, transparent financial markets. With over 100 years of experience and colleagues in over 30 countries, Fitch Group’s culture of credibility, independence, and transparency is embedded throughout its structure, which includes Fitch Ratings, one of the world’s top three credit ratings agencies, and Fitch Solutions, a leading provider of insights, data and analytics. With dual headquarters in London and New York, Fitch Group is owned by Hearst.

Fitch's Technology & Data Team is a dynamic department where innovation meets impact. Our team includes the Chief Data Office, Chief Software Office, Chief Technology Office, Emerging Technology, Shared Technology Services, Technology, Risk and the Executive Program Management Office (EPMO). Driven by our investment in cutting-edge technologies like AI and cloud solutions, we’re home to a diverse range of roles and backgrounds united by a shared passion for leveraging modern technology to drive projects that matter to our organization and clients. We are also proud to be recognized by Built In as a Best Place to Work in Technology 3 years in a row. Whether you're an experienced professional or just starting your career, we offer an exciting and supportive environment where you can grow, innovate, and make a difference. 

Want to learn more about a career in technology and data at Fitch? Visit:

https://careers.fitch.group/content/Technology-and-Data/?locale=en_US  

Fitch Group is currently seeking a Senior AI Penetration Tester based out of our New York office.

How You’ll Make an Impact:

We are seeking a Senior AI Penetration Tester to join our Information Security department. The ideal candidate will bring 2–4 years of hands-on penetration testing experience, deep technical expertise, a proactive approach to identifying security gaps, and the ability to leverage AI agents and automation to continuously improve testing capabilities.

• Conduct security assessments of AI systems and implementations — including AI chatbots, MCP (Model Context Protocol) servers, and enterprise deployments of Claude, ChatGPT, and Azure OpenAI Studio — identifying risks such as prompt injection, model abuse, data exfiltration etc. Execute continuous adversarial testing of AI platforms and guardrails to validate controls keep pace with evolving vendor capabilities.
• Plan, scope, and execute penetration testing engagements across network infrastructure (servers, firewalls, endpoints, Active Directory) and perform comprehensive web application security assessments covering OWASP Top 10 vulnerabilities, business logic flaws, authentication weaknesses, and API security issues — following OWASP, and MITRE ATT&CK and other methodologies.
• Leverage AI agents and AI-assisted tooling (such as Claude and ChatGPT) to augment testing workflows and automate reconnaissance, while developing and maintaining custom scripts and exploit code for attack chain automation, payload generation, and post-exploitation tasks.
• Document and communicate assessment outcomes — including findings, risk context, and remediation guidance — clearly for both technical teams and senior stakeholders; collaborate with Vulnerability Management, Application, and Infrastructure teams to ensure findings are handed off with clear remediation ownership.
• Stay current with the latest offensive security research, CVEs, exploitation techniques, and AI security threats; support red team exercises and threat simulation activities; and maintain detailed records of testing activities, methodologies, and evidence per internal documentation standards.

You May be a Good Fit if:

The ideal candidate will have 2–4 years of hands-on penetration testing experience, with demonstrated expertise across emerging AI security, network, and application domains. They should possess strong scripting and exploit development skills, comfort working with AI-powered tools, and the ability to communicate complex technical findings clearly and effectively.

• Hands-on AI red-teaming experience covering prompt injection (direct and indirect), jailbreaking, tool-use abuse, insecure output handling, training/context data exfiltration, and model DoS; familiarity with OWASP Top 10 for LLMs and MITRE ATLAS expected.
• Hands-on penetration testing experience across network infrastructure (servers, endpoints, network devices, Active Directory), web applications (OWASP Top 10, API security, manual and automated testing), and AI/LLM-based systems — with a solid grounding in TCP/IP, DNS, HTTP/S, VPNs, and firewalls.
• Strong scripting proficiency in Python, Bash, or PowerShell — able to write custom exploit scripts, develop attack tooling from scratch, and adapt public PoCs — with working knowledge of Metasploit, Burp Suite (including Burp AI extensions), Nmap, Nessus/OpenVAS, BloodHound, Cobalt Strike and other similar tools
• Experience using AI tools (such as Claude, ChatGPT, or similar) for penetration testing activities including reconnaissance, vulnerability analysis, payload crafting, and exploit development.
• Ability to produce clear, well-structured assessment reports that translate findings, risk ratings, and remediation guidance into actionable insights for both technical teams and senior stakeholders.

What Would Make You Stand Out:

• Experience assessing AI systems and LLM-based applications in enterprise deployments (Claude, ChatGPT, Azure OpenAI Studio, or similar), identifying risks including prompt injection, insecure tool use, MCP server misconfigurations, and risks across agentic orchestration workflows.
• Experience testing AI systems in regulated or data-sensitive environments where material non-public information (MNPI), confidential client data, or similar controlled data classes are in scope.
• Experience with AI agent monitoring/observability platforms and strong working knowledge of the MITRE ATT&CK framework, including staying current with newly published TTPs and actively applying them during engagements to simulate real-world adversary behavior.
• Experience with cloud penetration testing across AWS, Azure, or GCP environments, and/or exposure to container and Kubernetes security assessments.
• Knowledge of secure coding practices and ability to perform basic code review to support application security engagements; familiarity with compliance frameworks such as PCI DSS, DORA, and ISO 27001.
• Certifications such as OSCP, CEH, GPEN, GWAPT; a degree in Computer Science, Cybersecurity, Information Systems, or equivalent practical experience; and/or participation in bug bounty programs or CTF competitions.

Why Choose Fitch: 

• Hybrid Work Environment: 2 to 3 days a week in office required based on your line of business and location

• A Culture of Learning & Mobility: Dedicated trainings, leadership development and mentorship programs designed to ensure that your time at Fitch will be a continuous learning opportunity
• Investing in Your Future: Retirement planning, financial wellness and tuition reimbursement programs that empower you to achieve your short and long-term goals
• Promoting Health & Wellness: Comprehensive healthcare offerings that prioritize a healthy body & mind
• Supportive Parenting Policies: Family-first policies, including a generous global parental leave plan, designed to help you balance career and family life effectively
• Dedication to Giving Back: Paid volunteer days and support for community engagement initiatives

At Fitch, AI is embedded in how we work every day—supporting smarter decision-making, streamlining workflows, and enabling new ways to create value for our business and clients. Intelligent solutions are increasingly part of our day-to-day operations, helping teams work more efficiently and think differently as we continue to evolve. We’re looking for colleagues who are comfortable operating in an AI-enabled environment—or who are curious, adaptable, and eager to build their AI literacy over time. We value professionals who embrace technology as part of continuous learning and who are committed to using it thoughtfully to enhance how work gets done.

Fitch is committed to providing global securities markets with objective, timely, independent and forward-looking credit opinions. To protect Fitch’s credibility and reputation, our employees must take every precaution to avoid conflicts of interests or any appearance of a conflict of interest. Should you be successful in the recruitment process at Fitch Ratings you will be asked to declare any securities holdings and other potential conflicts prior to commencing employment. If you, or your immediate family, have any holdings that may conflict with your work responsibilities, you may be asked to divest yourself of them before beginning work. 

Fitch is proud to be an Equal Opportunity and Affirmative Action Employer. We evaluate qualified applicants without regard to race, color, national origin, religion, sex, sexual orientation, gender identity, disability, protected veteran status, and other statuses protected by law. 

FOR NEW YORK ROLES ONLY

Expected base pay rates for the role will be between $140,000 and $160,000 per year. Actual salaries will be determined on an individualized basis and may vary based on factors including but not limited to education, training, experience, past performance, and other job-related factors.  Base pay is one part of Fitch’s total compensation package, which, depending on the position, may also include commission earnings, discretionary bonuses, long-term incentives, and other benefits sponsored by Fitch.