Job Description About the Team KPMG’s Technology Risk & Cyber team is a nationally led, fast‑growing group helping clients tackle complex technology risks and cyber threats. The practice brings deep capabilities across cyber strategy, risk management, cloud security, incident response and resilience, working across industries to deliver innovative, trusted solutions. You’ll join a collaborative, future‑focused environment where your security and cyber defence skills make a real impact for Australian organisations. We also partner closely with adjacent Technology Risk & Resilience specialists to strengthen governance, audit/assurance, and operational resilience programs (including cloud control frameworks and incident response planning). About the Role We’re hiring a Senior Consultant with strong hands‑on penetration testing and cyber defence expertise. You’ll plan and execute technical assessments (network, application, API, cloud), support red team exercises, and collaborate with client SOC/blue teams (purple teaming) to improve detection and response. You’ll translate complex issues into practical recommendations, guide junior consultants, and contribute to proposals and thought leadership. Importantly, you will continue to grow as a offensive security professional, working with your team and technical community to gain new skills, experience and certifications. Position Objectives Reduce real‑world cyber risk for clients through high‑quality offensive testing and pragmatic remediation guidance. Enhance resilience by aligning technical controls and response playbooks with recognised standards and client obligations (e.g., ISO/NIST, ASD Essential Eight, APRA CPS 234; and for resilience, CPS 230 where applicable). Elevate trust with board‑ready reporting that connects technical findings to business objectives and regulatory expectations. Key Responsibilities Plan and deliver penetration tests across web/mobile applications, internal/external networks, APIs and cloud platforms, applying both manual tradecraft and tooling; produce clear, actionable reports and retest remediation. Conduct red team exercises (scenario‑based adversary simulations) to assess end‑to‑end detection, response and resilience; coordinate purple‑team activities with client defenders to uplift SOC capabilities. Assess and harden controls against recognised frameworks and regulations (e.g., ISO/IEC 27001, NIST CSF, ASD Essential Eight, APRA CPS 234; and resilience alignment to CPS 230 Support incident response readiness (table‑tops, playbooks, detection engineering) and contribute to compromise assessments where required. Coach junior team members ; contribute to proposals, pricing and client presentations; help develop service accelerators and methodologies. Skills & Experience Offensive security background with proven delivery of penetration testing and (ideally) red/purple‑team engagements across multiple environments. Developing consulting skills: a commitment to client service excellence, structured communication and the ability to brief senior stakeholders in plain language. Risk & resilience literacy: familiarity with ISO 27001/NIST CSF, ASD Essential Eight, APRA CPS 234 (information security) and CPS 230 (operational resilience) in Australian contexts. Security engineering know‑how across common attack paths (identity, email, endpoint, network, cloud), plus knowledge of modern SOC tooling and detection/response practices. Growth mindset: stays current on emerging threats (incl. AI‑enabled attacks) and defensive automation opportunities highlighted in KPMG’s latest cyber considerations, coupled with a commitment to gain new skills and certifications.
