Penetration Tester

Overview

CDK Global is a leading provider of cloud-based software to dealerships and Original Equipment Manufacturers (“OEMs”) across automotive and related industries. The Company’s cloud-based, software as a service (“SaaS”) platform enables dealerships to manage their end-to-end business operations including the acquisition, sale, financing, insuring, repair, and maintenance of vehicles. By automating and streamlining critical workflows, the integrated platform of modern solutions enables dealers to sell and service more vehicles by creating simple and convenient experiences for customers and improves their financial and operational performance.

Position Summary

CDK Global is seeking a skilled Penetration Tester with 3–6 years of experience across Web, API, Infrastructure, and Red Teaming disciplines. In this role, you will perform manual penetration tests on CDK’s products, platforms, APIs, and cloud environments. You will also support CDK’s internal red‑team and adversary simulation efforts, assess third‑party/vendor tools used across CDK, and collaborate with our DAST team to convert recurring vulnerabilities into automated test cases.

This position is a key part of CDK’s broader Application Security function and directly contributes to strengthening CDK’s overall security posture.

Responsibilities

• Manual Web & API Penetration Testing
• Perform in‑depth penetration testing on CDK applications (web, internal, customer-facing, and APIs).
• Identify authentication, authorization, logic, and input‑handling weaknesses.
• Assess REST/GraphQL APIs supporting CDK products for schema abuse, rate-limiting issues, BOLA, and access control gaps.
• Infrastructure & Network Penetration Testing
• Conduct internal and external network pentests across CDK environments.
• Perform enumeration, service analysis, firewall/ACL review, privilege escalation on Windows/Linux, and AD attack path identification.
• Red Teaming / Adversary Simulation
• Participate in CDK’s red‑team exercises, including initial access vectors, lateral movement, privilege escalation, and persistence.
• Assist in developing realistic attack paths targeting CDK infrastructure and applications.
• Support purple-team efforts with CDK detection and SecOps teams.
• AI/LLM Security Testing
• Evaluate CDK’s AI-enabled or LLM-integrated services for prompt injection, data leakage, jailbreak scenarios, insecure plugin/tooling integration, and model abuse pathways.
• Vendor & Third‑Party Security Assessments
• Conduct security evaluations for third-party tools and SaaS platforms considered for onboarding at CDK.
• Review architecture, certifications, posture, and integration risks; provide recommendations to CDK stakeholders.
• Collaboration with CDK’s DAST & Automation Teams
• Identify recurring findings from CDK products and assist the DAST team in automating these tests.
• Provide reproducible PoCs, templates, and test case structures to strengthen CDK’s automation coverage.
• Vulnerability Reporting & Coordination
• Document vulnerabilities in CDK’s centralized vulnerability management system (e.g., DefectDojo).
• Provide risk context, remediation guidance, and work with CDK engineering teams during fix validation.
• Contributing to Secure SDLC Maturity at CDK
• Support CDK’s secure engineering practices by contributing to AppSec playbooks, checklists, and guidelines.
• Partner closely with product engineering, platform security, and cloud teams across CDK.
  
  

• 3–6 years of hands-on experience in web, API, and infrastructure penetration testing.
• Strong understanding of OWASP Top 10, API Top 10, MITRE ATT&CK, and common cloud/infrastructure attack surfaces.
• Practical experience with:
• Burp Suite, ZAP
• nmap, ffuf, sqlmap
• Nessus/Qualys (optional)
• PowerShell, Bash, Python scripts
• Strong reporting skills (clear PoCs, evidence, exploitable impact)
• Experience engaging with engineering teams during retest cycles.
  
  

• Experience with CDK-like large enterprise environments, multi-tier products, or cloud/SaaS platforms.
• Exposure to container/Kubernetes security.
• Purple teaming experience with detection engineering teams.
• Certifications: OSCP, eWPT, CRTP, eWPTX, CEH, GWAPT (optional).
• Strong attacker mindset, curiosity, and creativity.
• Clear and effective communication with CDK stakeholders.
• Ability to prioritize based on business and customer impact.
• Ownership, accountability, and collaborative problem-solving.
  
  

At CDK, we believe inclusion and diversity are essential in inspiring meaningful connections to our people, customers and communities. We are open, curious and encourage different views, so that everyone can be their best selves and make an impact.

CDK is an Equal Opportunity Employer committed to creating an inclusive workforce where everyone is valued. Qualified applicants will receive consideration for employment without regard to race, color, creed, ancestry, national origin, gender, sexual orientation, gender identity, gender expression, marital status, creed or religion, age, disability (including pregnancy), results of genetic testing, service in the military, veteran status or any other category protected by law.

Applicants for employment in the US must be authorized to work in the US. CDK may offer employer visa sponsorship to applicants.