Were Hiring | Application Penetration Testing Lead

Location : Pune

Work Mode : Work from Office

Experience : 10+ Years

We are looking for a highly skilled Application Penetration Testing Lead to own and drive advanced application security testing across web, mobile, and API platforms. This is a leadership role focused on deep manual testing, dynamic analysis, and real-world exploitation, working closely with development and architecture teams to strengthen the overall security posture.

Role Overview :

As the Application Penetration Testing Lead, you will lead hands-on penetration testing initiatives, mentor junior testers, and partner with engineering teams to ensure vulnerabilities are effectively remediated using a risk-based approach.

Key Responsibilities :

- Lead and perform end-to-end penetration testing for web, mobile, and API applications

- Execute manual and dynamic testing, including exploitation and fix validation

- Plan and author high-quality penetration test reports with risk ratings and remediation guidance

- Perform architecture and design reviews from an attack-surface and runtime perspective

- Identify business logic flaws, chained vulnerabilities, and advanced attack paths beyond automated scans

- Utilize tools like Burp Suite Pro, OWASP ZAP, intercepting proxies, fuzzers, scanners, Nmap, etc.

- Conduct third-party and vendor penetration assessments

- Work closely with developers, architects, and product teams to drive remediation and define SLAs

- Mentor junior pentesters on methodology, exploitation techniques, and reporting standards

- Present findings clearly to both technical teams and senior leadership

- Stay current with emerging attack techniques, tools, and application-level threats

Technical Expertise :

- Strong hands-on experience in manual penetration testing (web, mobile, APIs)

- Expertise in DAST and runtime attack vectors

- Deep understanding of OWASP Top 10, WASC, CWE, and modern exploitation techniques

- Experience testing applications built on Java/J2EE, .NET, Python, PHP, JavaScript, and modern frameworks

- Solid knowledge of HTTP/HTTPS, SSL/TLS, OAuth, SAML, authentication & session management

- Mobile app testing experience (iOS & Android) and API security (REST, GraphQL)

- Familiarity with cloud-hosted environments such as AWS / Microsoft Azure / Google Cloud Platform from an attack-surface perspective

- Strong scripting skills (Python, Bash, or similar) for automation and exploit development

Preferred Qualifications :

- Certifications : OSCP, OSWE, GPEN, GWAPT, ECSA, LPT, or equivalent

- Experience with red-team or advanced chained-exploit assessments

- Exposure to CI/CD-integrated pentesting workflows

- Prior experience in BFSI, healthcare, or regulated environments is a plus