Job Summary: We are looking for a visionary Lead Security Engineer to spearhead our Offensive Security program. You will lead a team of elite security professionals focused on uncovering vulnerabilities before adversaries do. This role combines deep technical expertise in Web, Mobile, and API penetration testing with the strategic mindset required to manage a global Vulnerability Management (VM) program and a high-functioning Red Team. 

Key Responsibilities:

1. Web Application & API Penetration Testing

• Conduct manual VAPT on web applications based on OWASP Top 10 and WSTG (Web Security Testing Guide) methodologies.

• Perform API security testing (REST, SOAP, GraphQL) to identify vulnerabilities like BOLA (Broken Object Level Authorization), injection flaws, and authentication bypasses.

• Test for complex business logic vulnerabilities that automated tools cannot detect.

• Perform authenticated and unauthenticated scans, followed by manual validation of findings. 

2. Mobile Application VAPT (iOS & Android)

• Perform security assessments on Android (APK) and iOS (IPA) applications, including binary analysis and dynamic analysis.

• Conduct runtime manipulation using tools like Frida or Objection to bypass SSL pinning, root/jailbreak detection, and tamper with application data.

• Analyze secure data storage (local database, keychain, shared preferences), data leakage, and insecure communication protocols.

• Review API endpoints utilized by mobile apps for backend vulnerabilities. 

3. Technical Research and Improvements

• Stay up to date with the latest mobile security trends, new attack vectors, and industry threats (e.g., OWASP Mobile Top 10).

• Develop custom scripts or modify existing tools for specialized testing needs. 

• Red Team Campaigns: Design and execute full-chain adversary simulations to test the detection and response capabilities of our Blue Team (SOC).

4. Vulnerability Management & Governance

• Continuous Exposure Management: Oversee the automated VM lifecycle, moving beyond simple CVSS scores to a risk-based model using real-world exploitability data.

• ASPM Integration: Implement Application Security Posture Management (ASPM) to correlate findings from SAST, DAST, and manual Pen testing.

• Incident Response Support: Provide expert offensive context during active security incidents to help contain and remediate threats.

5. Reporting and Remediation Guidance

• Generate comprehensive, high-quality VAPT reports detailing findings, exploitation steps (Proof of Concept - PoC), business impact, and risk ratings (CVSS).

• Collaborate with developers and product teams to explain vulnerabilities and recommend remediation strategies.

• Perform re-testing to validate the successful closure of identified vulnerabilities. 

Required Technical Skills

• Manual Testing: Expert-level manual penetration testing experience.

• PT Tools: Burp Suite Professional, OWASP ZAP, Metasploit, Nmap, SQLmap, Wireshark, Postman.

• VM Tools: Proficient in Tenable Expert, Tenable io, Qualys VMDR / Rapid7.

• Mobile Tools: Experienced with Frida, Objection, MobSF, ADB, Xcode.

• Frameworks: In-depth knowledge of OWASP Top 10, OWASP Mobile Top 10, and OWASP API Security Top 10.

• Scripting: Basic to intermediate scripting skills (Python, Bash, or JavaScript) for automating security testing.

• OS: Strong knowledge of Linux (Kali) and basic understanding of Android/iOS internals. Deep knowledge of Linux (RHEL/Ubuntu) and Windows Server hardening.

• Cloud/DevOps: Experience with AWS/Azure Security Hub, Terraform, and GitHub Actions pipelines.

Required Qualifications

• Experience: 4+ years of relevant experience in Vulnerability Assessment and Penetration Testing.

• Education: Bachelor’s degree in computer science, Information Security, or a related field.

• Certifications (Preferred): CEH, OSWE, Pentest+, eJPT/EWPT or other recognized cybersecurity certifications. 

Soft Skills

• Excellent written and verbal communication skills for technical reporting.

• Ability to think like an attacker to solve complex technical problems.

• Ability to work under pressure and meet tight deadlines.

Project Requirements: 

Key Responsibilities

• Own scan schedules, coverage, and health in Tenable.

• Ensure asset inventory accuracy, tagging standards, and criticality mapping.

• Perform risk-based triage using CVSS, EPSS, KEV, and risk models.

• Partner with tower leads to define remediation plans.

• Track remediation SLAs and escalate blockers.

• Produce weekly vulnerability status reports.

• Maintain governance, risk, and compliance requirements.

• Develop Excel-based automation tools for reconciliation and reporting.

Required Qualifications

• 5–8+ years in Vulnerability Management or Security Operations.

• Deep expertise with Tenable and hands-on Brinqa experience.

• Advanced MS Excel skills including Power Query, PivotTables, macros.

• Solid understanding of CVSS, EPSS, KEV.

• Familiarity with enterprise patching and ITSM platforms.

• Strong communication and stakeholder management.

Preferred Qualifications

• Knowledge of CIS benchmarks, STIGs, and secure configuration baselines.

• Experience integrating vulnerability data with ITSM and CMDB.

• Scripting knowledge such as PowerShell or Python.

• Relevant certifications (Security+, CySA+, CISSP, etc.).

Success Metrics (KPIs)

• Vulnerability risk reduction.

• SLA adherence percentages.

• Scan coverage and credentialed scan rates.

• MTTR for vulnerabilities.

• Exception hygiene.

• Timely weekly reporting.