About Us
CDK Global is a leading provider of cloud-based software to dealerships and Original Equipment Manufacturers (“OEMs”) across automotive and related industries. The Company’s cloud-based, software as a service (“SaaS”) platform enables dealerships to manage their end-to-end business operations including the acquisition, sale, financing, insuring, repair, and maintenance of vehicles. By automating and streamlining critical workflows, the integrated platform of modern solutions enables dealers to sell and service more vehicles by creating simple and convenient experiences for customers and improves their financial and operational performance.
Position Summary
CDK Global is seeking a skilled
Penetration Tester
with 3–6 years of experience across
Web, API, Infrastructure
, and
Red Teaming
disciplines. In this role, you will perform manual penetration tests on CDK’s products, platforms, APIs, and cloud environments. You will also support CDK’s internal red‑team and adversary simulation efforts, assess third‑party/vendor tools used across CDK, and collaborate with our DAST team to convert recurring vulnerabilities into automated test cases.
This position is a key part of CDK’s broader Application Security function and directly contributes to strengthening CDK’s overall security posture.
Responsibilities
1. Manual Web & API Penetration Testing
Perform in‑depth penetration testing on CDK applications (web, internal, customer-facing, and APIs).
Identify authentication, authorization, logic, and input‑handling weaknesses.
Assess REST/GraphQL APIs supporting CDK products for schema abuse, rate-limiting issues, BOLA, and access control gaps.
2. Infrastructure & Network Penetration Testing
Conduct internal and external network pentests across CDK environments.
Perform enumeration, service analysis, firewall/ACL review, privilege escalation on Windows/Linux, and AD attack path identification.
3. Red Teaming / Adversary Simulation
Participate in CDK’s red‑team exercises, including initial access vectors, lateral movement, privilege escalation, and persistence.
Assist in developing realistic attack paths targeting CDK infrastructure and applications.
Support purple-team efforts with CDK detection and SecOps teams.
4. AI/LLM Security Testing
Evaluate CDK’s AI-enabled or LLM-integrated services for prompt injection, data leakage, jailbreak scenarios, insecure plugin/tooling integration, and model abuse pathways.
5. Vendor & Third‑Party Security Assessments
Conduct security evaluations for third-party tools and SaaS platforms considered for onboarding at CDK.
Review architecture, certifications, posture, and integration risks; provide recommendations to CDK stakeholders.
6. Collaboration with CDK’s DAST & Automation Teams
Identify recurring findings from CDK products and assist the DAST team in automating these tests.
Provide reproducible PoCs, templates, and test case structures to strengthen CDK’s automation coverage.
7. Vulnerability Reporting & Coordination
Document vulnerabilities in CDK’s centralized vulnerability management system (e.g., DefectDojo).
Provide risk context, remediation guidance, and work with CDK engineering teams during fix validation.
8. Contributing to Secure SDLC Maturity at CDK
Support CDK’s secure engineering practices by contributing to AppSec playbooks, checklists, and guidelines.
Partner closely with product engineering, platform security, and cloud teams across CDK.
Qualifications
3–6 years of hands-on experience in
web
,
API
, and
infrastructure
penetration testing.
Strong understanding of OWASP Top 10, API Top 10, MITRE ATT&CK, and common cloud/infrastructure attack surfaces.
Practical experience with:
Burp Suite, ZAP
nmap, ffuf, sqlmap
Nessus/Qualys (optional)
PowerShell, Bash, Python scripts
Strong reporting skills (clear
PoCs
, evidence, exploitable impact)
Experience engaging with engineering teams during retest cycles.
Preferred Qualification
s
Experience with CDK-like large enterprise environments, multi-tier products, or cloud/SaaS platforms.
Exposure to container/Kubernetes security.
Purple teaming experience with detection engineering teams.
Certifications: OSCP,
eWPT
, CRTP,
eWPTX
, CEH, GWAPT (optional).
Strong attacker mindset, curiosity, and creativity.
Clear and effective communication with CDK stakeholders.
Ability to prioritize based on business and customer impact.
Ownership, accountability, and collaborative problem-solving.
At CDK, we believe inclusion and diversity are essential in inspiring meaningful connections to our people, customers and communities. We are open, curious and encourage different views, so that everyone can be their best selves and make an impact.
CDK is an Equal Opportunity Employer committed to creating an inclusive workforce where everyone is valued. Qualified applicants will receive consideration for employment without regard to race, color, creed, ancestry, national origin, gender, sexual orientation, gender identity, gender expression, marital status, creed or religion, age, disability (including pregnancy), results of genetic testing, service in the military, veteran status or any other category protected by law.
CDK is committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures. If you need assistance or an accommodation due to a disability, you may contact us at
accommodations-ext@cdk.com
.
Applicants for employment in the US must be authorized to work in the US. CDK may offer employer visa sponsorship to applicants.
