Role Purpose :

We are seeking an experienced Information Security Lead to drive and oversee end-to-end security assessments across diverse technology stacks - including web, mobile, API, infrastructure, and cloud. The role involves hands-on testing, validating findings with technical evidence or PoC, mapping results to standards (OWASP, NIST, CIS), and ensuring closure through effective remediation. The candidate will also act as a technical interface with customers, delivery teams, and internal stakeholders.

Key Responsibilities :

1. End-to-End VAPT Delivery :

- Plan, scope, and execute Vulnerability Assessment and Penetration Testing (VAPT) across applications, APIs, infrastructure, and cloud workloads.

- Focus on manual-first testing to uncover complex issues like IDOR/BOLA, broken access control, SSRF, logic abuse, and weak authentication.

- Deliver detailed reports with proof-of-concept, impact assessment, and remediation guidance.

2. Application / API / Mobile Security :

- Conduct security testing of web and APIs aligned with OWASP Top 10 (Web & API) standards.

- Perform mobile app testing (Android/iOS) per OWASP MASVS/MSTG, using tools like MobSF, Frida, and Objection.

- Work closely with developers and DevOps teams to clarify findings, verify fixes, and perform retests.

3. Cloud Security Review :

- Review AWS, Azure, and GCP configurations for misconfigurations, weak IAM policies, and exposed services.

- Recommend security hardening in line with CIS benchmarks.

- Validate cloud-exposed endpoints and configurations to prevent SSRF and metadata exposure attacks.

4. Defensive Integration :

- Translate assessment findings into actionable defensive controls - SIEM rules, WAF policies, and API gateway configurations.

- Collaborate with SOC/Defensive teams to enhance visibility and detection based on VAPT results.

5. Customer / Delivery / Internal Support :

- Join client and internal calls to explain methodologies, findings, and risk ratings.

- Provide inputs for SOWs, level of effort (LoE), and environment requirements.

- Conduct walkthroughs of assessment results with app, infra, and cloud teams for effective remediation.

6. Process & Team Enablement :

- Maintain and update SOPs, templates, and checklists in line with OWASP and NIST frameworks.

- Integrate testing processes into SDLC and CI/CD pipelines for continuous security assurance.

- Mentor junior team members, review reports, and ensure quality in assessment delivery.

Required Technical Skills :

- Strong hands-on experience in VAPT, WAPT, API, and Mobile Application Testing.

- Proficiency with tools : Burp Suite Pro, Nmap, MobSF, Frida, Objection, Postman, sqlmap, cloud consoles.

- Deep understanding of HTTP, OAuth2/OIDC/JWT, TLS, REST, GraphQL, and CORS.

- Familiarity with security frameworks and standards - OWASP, NIST CSF, CIS Benchmarks, CVSS v3.x.

- Scripting ability in Python/PowerShell for automation and PoC generation.

Preferred Certifications :

- Offensive Certifications : OSCP, OSWE, eWPTX, GWAPT, GMOB

- Cloud & Security Certifications : AZ-500, AWS Security Specialty, CCSP

- Exposure to SAST, DAST, SCA, and DevSecOps pipeline integration