Skill Profile

Security Testing

OWASP ZAP, Burp Suite, penetration testing, DAST pipelines, SAST integration

Testing & QA Specialized Testing

Roles

where this skill appears

Levels

structured growth path

Mandatory requirements

the other 8 optional

Domain

Testing & QA

Group

Specialized Testing

Last updated

3/17/2026

How to Use

Choose your current level and compare expectations. The items below show what to cover to advance to the next level.

What is Expected at Each Level

The table shows how skill depth grows from Junior to Principal. Click a row to see details.

Role	Required	Description
Application Security Engineer		Understands security testing fundamentals: OWASP Top 10 vulnerabilities, basic SAST/DAST tool usage (SonarQube, OWASP ZAP), and security test case design. Runs automated security scans and reports findings. Follows team guidelines for secure coding verification and vulnerability triage.
DevSecOps Engineer		Understands security testing in CI/CD context: integrating SAST/DAST scanners into pipelines, container image vulnerability scanning, and dependency security checks. Configures automated security gates in build processes. Follows team practices for security tool configuration and alert management.
Penetration Testing Engineer		Understands penetration testing fundamentals: reconnaissance techniques, common web application vulnerabilities, and basic exploitation tools (Burp Suite, Metasploit). Conducts guided vulnerability assessments following established methodologies. Reports findings with clear reproduction steps and risk ratings.
QA Automation Engineer	Required	Understands security testing basics for QA: OWASP testing guidelines, basic security assertions in automated tests (XSS, SQL injection checks), and security test data management. Integrates basic security checks into existing test frameworks. Follows team practices for security regression testing.
QA Engineer (Manual)	Required	Understands security testing fundamentals from QA perspective: manual security test case design, authentication/authorization flow testing, and input validation verification. Executes security-focused exploratory testing sessions. Follows team guidelines for security defect reporting and classification.
QA Security Engineer	Required	Understands security QA fundamentals: security test planning, OWASP testing methodology, and security-focused test case design. Executes security test suites covering authentication, authorization, input validation, and data protection. Uses basic security testing tools (OWASP ZAP, Burp Suite Community). Follows team practices for security defect lifecycle management.
Security Analyst		Understands security testing from an analytical perspective: vulnerability assessment reports interpretation, security scan result analysis, and risk rating methodologies (CVSS). Monitors security scanning dashboards and tracks remediation progress. Follows team practices for vulnerability management workflows.

Role	Required	Description
Application Security Engineer		Independently conducts application security testing: custom SAST rule creation, DAST scan configuration for complex applications, and interactive security testing (IAST). Performs manual code review for security-critical components. Creates security test automation for CI/CD pipelines. Covers edge cases in authentication, authorization, and data validation.
DevSecOps Engineer		Introduces security testing in CI/CD: SAST with Semgrep, dependency scanning with Snyk, secret detection with GitLeaks. Conducts manual security testing with Burp Suite for web applications. Writes security test cases for critical functions: authentication, authorization, payment processing.
Penetration Testing Engineer		Independently conducts penetration tests: web application exploitation (SQLi, XSS, SSRF, deserialization), API security testing, and infrastructure vulnerability assessment. Uses advanced Burp Suite techniques (custom extensions, intruder patterns). Creates proof-of-concept exploits and detailed technical reports with remediation guidance.
QA Automation Engineer	Required	Implements security test automation: integrates OWASP ZAP into CI/CD for automated DAST, creates security regression test suites, and implements API security testing (authentication bypass, injection, rate limiting). Develops custom security test scripts for domain-specific vulnerabilities. Covers edge cases in security control validation.
QA Engineer (Manual)	Required	Independently conducts manual security testing: exploratory security testing sessions, authentication/authorization bypass attempts, and input validation boundary testing. Creates comprehensive security test plans covering OWASP guidelines. Collaborates with pentest team on vulnerability verification. Implements security-focused test design techniques.
QA Security Engineer	Required	Conducts security testing: OWASP Top 10 verification, vulnerability scanning (ZAP/Burp), dependency checking (Snyk). Documents findings with reproducible steps.
Security Analyst		Independently analyzes security testing results: correlates vulnerability scan findings across tools, assesses risk impact for business-critical applications, and tracks remediation SLA compliance. Creates vulnerability management reports and trend analysis. Conducts threat modeling sessions to prioritize security testing efforts.

Role	Required	Description
Application Security Engineer	Required	Designs security testing strategy for applications: custom SAST/DAST pipeline architecture, threat model-driven test planning, and security chaos engineering. Implements advanced testing techniques: mutation-based fuzzing, semantic code analysis, and API specification-driven security testing. Creates security testing frameworks and reusable test libraries. Mentors team on security testing methodologies.
DevSecOps Engineer	Required	Develops security testing strategy for all SDLC stages. Introduces fuzz testing (AFL, libFuzzer) for memory corruption vulnerability detection. Configures IAST for runtime analysis in staging. Creates automated API penetration testing framework with Nuclei and custom templates.
Penetration Testing Engineer	Required	Designs comprehensive penetration testing programs: red team operations, advanced exploit development, and security assessment frameworks. Implements automated vulnerability discovery pipelines. Conducts advanced attacks: cloud infrastructure exploitation, container escape, and supply chain attack simulation. Creates pentest tooling and custom exploit frameworks. Mentors team on advanced offensive security techniques.
QA Automation Engineer	Required	Designs security testing architecture for the product: automated security test pyramid (SAST/DAST/IAST), security regression framework, and vulnerability detection pipelines. Implements contract-based API security testing and fuzz testing for input validation. Creates security testing COE practices. Optimizes security test execution for fast CI/CD feedback. Mentors team on security test automation.
QA Engineer (Manual)	Required	Designs security testing strategy for QA: security test planning aligned with threat models, exploratory security testing frameworks, and security regression test management. Implements security testing metrics and quality dashboards. Creates security testing training materials for QA team. Mentors team on security-focused test design and risk-based testing.
QA Security Engineer	Required	Designs security testing program: risk-based testing strategy, automated vulnerability scanning pipeline, manual penetration testing scope. Integrates with bug bounty.
Security Analyst	Required	Designs security analytics for vulnerability management: automated vulnerability correlation across scanning tools, risk-based prioritization models, and executive reporting dashboards. Implements continuous security monitoring for application portfolio. Conducts organizational threat modeling and risk assessments. Mentors team on advanced security analysis techniques.

Role	Required	Description
Application Security Engineer	Required	Defines security testing strategy across the organization. Establishes SAST/DAST/IAST standards, security testing quality gates, and DevSecOps practices. Drives adoption of shift-left security testing culture. Creates security testing COE and trains security champions across engineering teams.
DevSecOps Engineer	Required	Defines security testing program for the organization. Manages internal penetration testing team and coordinates external audits. Builds metrics: coverage, vulnerability density, escape rate. Introduces chaos engineering for security (GameDay). Integrates security testing into Definition of Done.
Penetration Testing Engineer	Required	Defines penetration testing strategy for the organization. Establishes pentest methodologies, scope guidelines, and reporting standards. Coordinates red team operations and purple team exercises. Creates attack simulation frameworks for continuous security validation. Trains pentest team on emerging attack vectors.
QA Automation Engineer	Required	Defines security testing strategy at the product level. Establishes automated security testing standards, quality gates, and DevSecOps integration requirements. Drives adoption of security testing as part of every team's CI/CD pipeline. Creates security testing infrastructure and tooling standards across the organization.
QA Engineer (Manual)	Required	Defines Security Testing strategy at the team/product level. Establishes security testing standards and best practices. Conducts reviews and coordinates penetration testing.
QA Security Engineer	Required	Defines security testing standards: testing methodology, tool selection, reporting requirements. Coordinates security testing across the development lifecycle.
Security Analyst	Required	Defines security analysis and vulnerability management strategy. Establishes vulnerability scanning policies, risk assessment frameworks, and remediation SLA requirements. Coordinates threat intelligence integration for security testing prioritization. Creates security analytics capabilities for organization-wide vulnerability visibility.

Role	Required	Description
Application Security Engineer	Required	Defines the organization's QA strategy. Shapes quality engineering culture. Implements platform testing solutions.
DevSecOps Engineer	Required	Designs corporate security testing framework unifying SAST, DAST, IAST, SCA, fuzzing and pentest into a single program. Defines AI-assisted security testing strategy. Develops security testing maturity model. Manages relationships with external security researchers.
Penetration Testing Engineer	Required	Defines enterprise offensive security strategy. Shapes organizational red team capabilities and continuous security validation programs. Drives adoption of adversary simulation and breach-and-attack simulation (BAS) platforms. Coordinates with industry on emerging threats and offensive security research. Represents the organization in security conferences and standards bodies.
QA Automation Engineer	Required	Defines organizational security testing strategy as part of overall quality engineering. Builds security-aware testing culture across all development teams. Implements platform solutions for automated security validation at scale. Drives adoption of AI-assisted security testing and continuous security assurance practices.
QA Engineer (Manual)	Required	Defines organizational QA strategy. Fosters quality engineering culture. Implements platform solutions for testing.
QA Security Engineer	Required	Designs organizational security testing strategy: continuous security assurance, automated compliance verification, security testing center of excellence.
Security Analyst	Required	Defines enterprise security monitoring and vulnerability management strategy. Shapes organizational security analytics capabilities and risk management frameworks. Drives adoption of advanced threat detection and automated security assessment at scale. Coordinates compliance requirements and industry standards for security testing practices.

Junior 7 requirements

Application Security Engineer

Understands security testing fundamentals: OWASP Top 10 vulnerabilities, basic SAST/DAST tool usage (SonarQube, OWASP ZAP), and security test case design. Runs automated security scans and reports findings. Follows team guidelines for secure coding verification and vulnerability triage.
DevSecOps Engineer

Understands security testing in CI/CD context: integrating SAST/DAST scanners into pipelines, container image vulnerability scanning, and dependency security checks. Configures automated security gates in build processes. Follows team practices for security tool configuration and alert management.
Penetration Testing Engineer

Understands penetration testing fundamentals: reconnaissance techniques, common web application vulnerabilities, and basic exploitation tools (Burp Suite, Metasploit). Conducts guided vulnerability assessments following established methodologies. Reports findings with clear reproduction steps and risk ratings.

QA Automation Engineer
Required

Understands security testing basics for QA: OWASP testing guidelines, basic security assertions in automated tests (XSS, SQL injection checks), and security test data management. Integrates basic security checks into existing test frameworks. Follows team practices for security regression testing.
QA Engineer (Manual)
Required

Understands security testing fundamentals from QA perspective: manual security test case design, authentication/authorization flow testing, and input validation verification. Executes security-focused exploratory testing sessions. Follows team guidelines for security defect reporting and classification.
QA Security Engineer
Required

Understands security QA fundamentals: security test planning, OWASP testing methodology, and security-focused test case design. Executes security test suites covering authentication, authorization, input validation, and data protection. Uses basic security testing tools (OWASP ZAP, Burp Suite Community). Follows team practices for security defect lifecycle management.
Security Analyst

Understands security testing from an analytical perspective: vulnerability assessment reports interpretation, security scan result analysis, and risk rating methodologies (CVSS). Monitors security scanning dashboards and tracks remediation progress. Follows team practices for vulnerability management workflows.

Middle 7 requirements

Application Security Engineer

Independently conducts application security testing: custom SAST rule creation, DAST scan configuration for complex applications, and interactive security testing (IAST). Performs manual code review for security-critical components. Creates security test automation for CI/CD pipelines. Covers edge cases in authentication, authorization, and data validation.
DevSecOps Engineer

Introduces security testing in CI/CD: SAST with Semgrep, dependency scanning with Snyk, secret detection with GitLeaks. Conducts manual security testing with Burp Suite for web applications. Writes security test cases for critical functions: authentication, authorization, payment processing.
Penetration Testing Engineer

Independently conducts penetration tests: web application exploitation (SQLi, XSS, SSRF, deserialization), API security testing, and infrastructure vulnerability assessment. Uses advanced Burp Suite techniques (custom extensions, intruder patterns). Creates proof-of-concept exploits and detailed technical reports with remediation guidance.

QA Automation Engineer
Required

Implements security test automation: integrates OWASP ZAP into CI/CD for automated DAST, creates security regression test suites, and implements API security testing (authentication bypass, injection, rate limiting). Develops custom security test scripts for domain-specific vulnerabilities. Covers edge cases in security control validation.
QA Engineer (Manual)
Required

Independently conducts manual security testing: exploratory security testing sessions, authentication/authorization bypass attempts, and input validation boundary testing. Creates comprehensive security test plans covering OWASP guidelines. Collaborates with pentest team on vulnerability verification. Implements security-focused test design techniques.
QA Security Engineer
Required

Conducts security testing: OWASP Top 10 verification, vulnerability scanning (ZAP/Burp), dependency checking (Snyk). Documents findings with reproducible steps.
Security Analyst

Independently analyzes security testing results: correlates vulnerability scan findings across tools, assesses risk impact for business-critical applications, and tracks remediation SLA compliance. Creates vulnerability management reports and trend analysis. Conducts threat modeling sessions to prioritize security testing efforts.

Senior 7 requirements

Application Security Engineer
Required

Designs security testing strategy for applications: custom SAST/DAST pipeline architecture, threat model-driven test planning, and security chaos engineering. Implements advanced testing techniques: mutation-based fuzzing, semantic code analysis, and API specification-driven security testing. Creates security testing frameworks and reusable test libraries. Mentors team on security testing methodologies.
DevSecOps Engineer
Required

Develops security testing strategy for all SDLC stages. Introduces fuzz testing (AFL, libFuzzer) for memory corruption vulnerability detection. Configures IAST for runtime analysis in staging. Creates automated API penetration testing framework with Nuclei and custom templates.
Penetration Testing Engineer
Required

Designs comprehensive penetration testing programs: red team operations, advanced exploit development, and security assessment frameworks. Implements automated vulnerability discovery pipelines. Conducts advanced attacks: cloud infrastructure exploitation, container escape, and supply chain attack simulation. Creates pentest tooling and custom exploit frameworks. Mentors team on advanced offensive security techniques.

QA Automation Engineer
Required

Designs security testing architecture for the product: automated security test pyramid (SAST/DAST/IAST), security regression framework, and vulnerability detection pipelines. Implements contract-based API security testing and fuzz testing for input validation. Creates security testing COE practices. Optimizes security test execution for fast CI/CD feedback. Mentors team on security test automation.
QA Engineer (Manual)
Required

Designs security testing strategy for QA: security test planning aligned with threat models, exploratory security testing frameworks, and security regression test management. Implements security testing metrics and quality dashboards. Creates security testing training materials for QA team. Mentors team on security-focused test design and risk-based testing.
QA Security Engineer
Required

Designs security testing program: risk-based testing strategy, automated vulnerability scanning pipeline, manual penetration testing scope. Integrates with bug bounty.
Security Analyst
Required

Designs security analytics for vulnerability management: automated vulnerability correlation across scanning tools, risk-based prioritization models, and executive reporting dashboards. Implements continuous security monitoring for application portfolio. Conducts organizational threat modeling and risk assessments. Mentors team on advanced security analysis techniques.

Lead / Staff 7 requirements

Application Security Engineer
Required

Defines security testing strategy across the organization. Establishes SAST/DAST/IAST standards, security testing quality gates, and DevSecOps practices. Drives adoption of shift-left security testing culture. Creates security testing COE and trains security champions across engineering teams.
DevSecOps Engineer
Required

Defines security testing program for the organization. Manages internal penetration testing team and coordinates external audits. Builds metrics: coverage, vulnerability density, escape rate. Introduces chaos engineering for security (GameDay). Integrates security testing into Definition of Done.
Penetration Testing Engineer
Required

Defines penetration testing strategy for the organization. Establishes pentest methodologies, scope guidelines, and reporting standards. Coordinates red team operations and purple team exercises. Creates attack simulation frameworks for continuous security validation. Trains pentest team on emerging attack vectors.

QA Automation Engineer
Required

Defines security testing strategy at the product level. Establishes automated security testing standards, quality gates, and DevSecOps integration requirements. Drives adoption of security testing as part of every team's CI/CD pipeline. Creates security testing infrastructure and tooling standards across the organization.
QA Engineer (Manual)
Required

Defines Security Testing strategy at the team/product level. Establishes security testing standards and best practices. Conducts reviews and coordinates penetration testing.
QA Security Engineer
Required

Defines security testing standards: testing methodology, tool selection, reporting requirements. Coordinates security testing across the development lifecycle.
Security Analyst
Required

Defines security analysis and vulnerability management strategy. Establishes vulnerability scanning policies, risk assessment frameworks, and remediation SLA requirements. Coordinates threat intelligence integration for security testing prioritization. Creates security analytics capabilities for organization-wide vulnerability visibility.

Principal 7 requirements

Application Security Engineer
Required

Defines the organization's QA strategy. Shapes quality engineering culture. Implements platform testing solutions.
DevSecOps Engineer
Required

Designs corporate security testing framework unifying SAST, DAST, IAST, SCA, fuzzing and pentest into a single program. Defines AI-assisted security testing strategy. Develops security testing maturity model. Manages relationships with external security researchers.
Penetration Testing Engineer
Required

Defines enterprise offensive security strategy. Shapes organizational red team capabilities and continuous security validation programs. Drives adoption of adversary simulation and breach-and-attack simulation (BAS) platforms. Coordinates with industry on emerging threats and offensive security research. Represents the organization in security conferences and standards bodies.

QA Automation Engineer
Required

Defines organizational security testing strategy as part of overall quality engineering. Builds security-aware testing culture across all development teams. Implements platform solutions for automated security validation at scale. Drives adoption of AI-assisted security testing and continuous security assurance practices.
QA Engineer (Manual)
Required

Defines organizational QA strategy. Fosters quality engineering culture. Implements platform solutions for testing.
QA Security Engineer
Required

Designs organizational security testing strategy: continuous security assurance, automated compliance verification, security testing center of excellence.
Security Analyst
Required

Defines enterprise security monitoring and vulnerability management strategy. Shapes organizational security analytics capabilities and risk management frameworks. Drives adoption of advanced threat detection and automated security assessment at scale. Coordinates compliance requirements and industry standards for security testing practices.

Community

👁 Watch ✏️ Suggest Change

Loading comments...