Lead Offensive Security Engineer

About the role

The Cyber Security Operations team is critical to the strategic foundation of our products, most notably the secure delivery of our Digital SAT and AP programs. We are a highly motivated group of cyber security experts who take a proactive approach to ensuring a strong security posture. We partner across the organization to mature our Threat Management and Incident Response procedures and are constantly seeking and experimenting with new technologies. We are currently using a variety of cutting-edge tools that provide comprehensive cyber security operations for the College Board's critical infrastructure in support of the College Board's mission to connect students to college success and opportunity. College Board is committed to creating an inclusive environment where all team members feel valued, respected, and supported in their work. We welcome individuals from diverse backgrounds and experiences to join our team and contribute to our ongoing success. The College Board is seeking a Lead Offensive Security Engineer who will serve as the technical leader of our Red Team capability. In partnership with leadership, who sets the strategic direction and risk priorities for the program, you will translate that vision into disciplined, high-impact offensive security campaigns that meaningfully improve our security posture. You will own the technical design and execution quality of red team engagements, shaping how assessments are planned, executed, and measured. This includes defining attack approaches, selecting and refining tooling, and ensuring that adversary simulations reflect real-world threat tradecraft relevant to our environment. Over time, you will play a key role in recommending priorities and evolving the "what" based on emerging threats and observed risk, while maintaining clear alignment with leadership direction. Beyond executing engagements, you will raise the bar for how offensive security is practiced at College Board. You will ensure our red team operations are repeatable, measurable, and operationally sound, with strong documentation, defensible methodologies, and executive-ready reporting. Your work will directly influence detection engineering, incident response readiness, and the resilience of systems that support the secure delivery of the Digital SAT, AP programs, and other mission-critical services. In this role, you will: Design and evolve the Red Team capability (35%) Define and continuously refine the red team engagement model, including methodology, scope development, rules of engagement, evidence standards, and quality controls. Shape offensive assessment strategy in partnership with leadership, translating program priorities into technically sound attack approaches and campaign plans. Determine tooling, infrastructure, and C2 frameworks used in approved environments, ensuring tradecraft reflects relevant real-world threat actors and techniques. Establish standards for multi-stage adversary simulation, ensuring engagements are realistic, repeatable, and aligned to MITRE ATT&CK and current threat intelligence. Continuously assess and improve how red team effectiveness is measured, including coverage, repeat findings, and defensive validation outcomes. Lead execution of high-impact offensive campaigns (40%) Lead and personally execute advanced penetration tests and red team assessments across client applications, web applications, APIs, endpoints, and supporting infrastructure. Orchestrate multi-stage attack simulations spanning initial access, privilege escalation, lateral movement, persistence, and objective completion within approved guardrails. Plan and drive purple team exercises in close partnership with Threat Hunt, SOC, and Incident Response teams to validate and strengthen detection and response capabilities. Evaluate the effectiveness of security controls, including SIEM, EDR, and network monitoring, and drive re-testing to confirm measurable improvement. Coordinate and guide other red team engineers during engagements, ensuring consistency, technical rigor, and high-quality deliverables. Drive measurable defensive impact and organizational enablement (25%) Translate offensive findings into prioritized, actionable remediation guidance and partner with system owners to drive meaningful risk reduction. Produce executive-ready reports and briefings that clearly articulate risk, impact, and recommended actions for both technical and non-technical stakeholders. Develop and maintain standardized red team artifacts, including playbooks, adversary emulation plans, reporting templates, and documentation that improve repeatability and knowledge transfer. Provide technical guidance to Vulnera