Penetration Testing Engineer Jobs (NOW HIRING)

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve – we care.

What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow’s health today, we want to hear from you.

The McKesson Pentest Team (MPT) is seeking a seasoned Senior Penetration Testing Engineer to join our team and organization. At its core, our mission is to identify what truly breaks security and ensure those weaknesses are resolved before they can be exploited.

This role is critical in proactively identifying and mitigating security vulnerabilities across our applications, infrastructure, and cloud environments. The ideal candidate will have extensive experience in offensive security, red teaming, and vulnerability exploitation, and will strengthen our security posture through rigorous testing and threat simulation.

Key Responsibilities:

Penetration Testing

• Plan, execute, and report on penetration tests targeting web applications, APIs, mobile applications, infrastructure, and cloud environments across McKesson.

• Identify exploitable vulnerabilities with both automated tools and manual techniques.

• Assist system and application owners in understanding risk and implementing effective remediation.

• Develop customized tools and exploitation techniques to support advanced testing tailored to specific engagements.

• Collaborate and communicate effectively with external penetration testing vendors and service providers.

Security Tooling & Automation

• Develop and maintain custom scripts and tools to support testing activities.

• Contribute to the integration of security tools and processes within CI/CD pipelines to improve testing coverage and efficiency.

• Evaluate and deploy commercial and open-source security testing tools.

Project Management

• Partner with application teams to gain a thorough understanding of environments and define scope for business critical McKesson applications.

• Define scope and track compliance of applications and entities with penetration testing policy requirements, including PCI DSS, HIPAA, and SOC.

• Schedule and coordinate outreach with application teams to manage engagements with internal or external vendor resources.

Reporting & Communication

• Deliver detailed, actionable reports to technical and non-technical stakeholders.

• Present findings and recommendations to engineering, operations, and leadership teams.

• Maintain documentation of testing methodologies, tools, and results.

Security Research & Innovation

• Stay current with emerging threats, vulnerabilities, and offensive security techniques.

• Participate in threat modeling and contribute to the development of attack simulations.

• Mentor junior team members and contribute to internal knowledge sharing.

Minimum Requirements:

• Degree or equivalent and typically requires 7+ years of relevant experience.

Critical Experience/Technical Skills:

• Proficiency in scripting languages such as Python, Bash, or PowerShell.

• Expertise in tools such as Burp Suite Pro, Owasp ZAP, Nmap, and Kali Linux suite of tools for Web and Network Penetration testing.

• Experience with cloud penetration testing (AWS, Azure, GCP).

• Familiarity with MITRE ATT&CK framework and threat emulation techniques.

• Understanding of secure coding practices and common vulnerabilities (e.g., OWASP Top 10)

• Strong analytical and problem-solving abilities.

• Excellent written and verbal communication skills.

• Project and time management skills.

Preferred Knowledge & Skills:

• Bachelor’s degree (in Computer Science, Cybersecurity, or a related field) or equivalent work experience.

• Advanced certifications (e.g., OSCP, OSWA, OSWE, OSEP, OSCE, BSCP, HTB CWES, HTB CWEE, or other).

• Experience in purple teaming and collaboration with defensive security teams.

• Experience managing application security tools, including SAST, DAST, SCA, and WAF solutions.

• Experience with bug bounty programs, including platforms such as HackerOne and Bugcrowd.

• Knowledge of regulatory frameworks, including PCI DSS, HIPAA, and NIST standards.

• Interest in and experience with AI, including development, infrastructure, agents, penetration testing, or red teaming use cases (e.g., XBOW, Hadrian NOVA, Horizon3, Pentera, vPenTest, or open source alternatives).

We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please click here.

Our Base Pay Range for this position

McKesson has become aware of online recruiting-related scams in which individuals who are not affiliated with or authorized by McKesson are using McKesson’s (or affiliated entities, like CoverMyMeds or RxCrossroads) name in fraudulent emails, job postings or social media messages. In light of these scams, please bear the following in mind:
McKesson Talent Advisors will never solicit money or credit card information in connection with a McKesson job application.

McKesson Talent Advisors do not communicate with candidates via online chatrooms or using email accounts such as Gmail or Hotmail. Note that McKesson does rely on a virtual assistant (Gia) for certain recruiting-related communications with candidates.

McKesson job postings are posted on our career site: careers.mckesson.com.

McKesson is an Equal Opportunity Employer

McKesson provides equal employment opportunities to applicants and employees, without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability, age, genetic information, or any other legally protected category. For additional information on McKesson’s full Equal Employment Opportunity policies, visit our Equal Employment Opportunity page.

McKesson is committed to being an Equal Employment Opportunity Employer and offers opportunities to all job seekers including job seekers with disabilities. If you need a reasonable accommodation to assist with your job search or application for employment, please contact us by sending an email to (United States) Disability_Accommodation@McKesson.com or (Canada) Accessibility@mckesson.ca. Resumes or CVs submitted to this email box will not be accepted.

Join us at McKesson!