Key Responsibilities
Penetration Testing & Offensive Security
- Plan and execute full-scope penetration tests across web applications, APIs, mobile apps, cloud infrastructure, and internal networks.
- Conduct threat modelling exercises and attack surface analysis for client applications and platforms.
- Perform manual and tool-assisted vulnerability assessments, including business logic flaws, authentication bypasses, injection attacks, and privilege escalation chains.
- Develop proof-of-concept exploits and document findings with clear, actionable remediation guidance tailored to the client's tech stack.
- Simulate real-world adversarial scenarios (red team operations) targeting people, processes, and technology.
Application Security & DevSecOps
- Embed security into SDLC processes by designing and implementing Secure-SDLC frameworks, security gates, and shift-left practices.
- Integrate and tune SAST, DAST, SCA, IaC scanning, and secrets detection tools within CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, Azure DevOps).
- Review source code for security vulnerabilities across languages such as Python, Java, JavaScript/TypeScript, Go, and C#.
- Define and implement API security controls, including OAuth 2.0/OIDC configurations, rate limiting, and input validation frameworks.
- Conduct secure architecture reviews, threat modelling workshops (STRIDE, PASTA, LINDDUN), and cloud security assessments (AWS, Azure, GCP).
- Develop and deliver security training and awareness sessions for engineering, QA, and product teams.
Consulting & Client Engagement
- Act as the primary security point of contact for client engagements, managing stakeholder expectations and communication throughout the project lifecycle.
- Produce high-quality deliverables including executive reports, technical findings, remediation roadmaps, and security architecture diagrams.
- Contribute to pre-sales activities, including scoping calls, proposal development, and RFP responses.
- Collaborate with internal teams to develop new service offerings, training content, and thought leadership materials.
Qualifications Required
- 5–8 years of hands-on security experience, with demonstrable depth in both penetration testing and application security / DevSecOps.
- Proficiency with industry-standard offensive security tools: Burp Suite Pro, Metasploit, Nmap, Nessus/OpenVAS, BloodHound, Cobalt Strike (or equivalents).
- Strong knowledge of OWASP Top 10 (Web & API), CWE/SANS Top 25, MITRE ATT&CK, and CVSS scoring.
- Experience with at least one major cloud platform (AWS, Azure, or GCP) and familiarity with cloud-native services, IAM misconfigurations, and serverless security.
- Hands-on experience integrating security tooling (SAST, DAST, SCA, secrets scanning) into CI/CD pipelines.
- Solid scripting skills in Python, Bash, or PowerShell for automation and custom tooling.
- Excellent written and verbal communication — able to present technical findings to both engineering teams and C-suite executives.
Preferred
- Relevant certifications: OSCP, OSEP, BSCP, GWAPT, GWEB, CEH, CSSLP, AWS Security Specialty, or equivalent.
- Familiarity with compliance frameworks: SOC 2, ISO 27001, PCI-DSS, NIST CSF, or CIS Controls.
- Experience with container security (Docker, Kubernetes), service mesh, and zero-trust architecture.
- Prior consulting or client-facing experience in a professional services environment.
- Contributions to open-source security projects, CVE disclosures, or published security research.
What We Offer
Compensation & Benefits
- Competitive salary benchmarked globally
- Performance-linked annual bonus
- Paid time off + regional public holidays
Growth & Culture
- Annual certification & training budget
- Access to required practical DevSecOps courses
- Speak at conferences & publish research