Job Description

We are seeking a highly skilled Vulnerability Assessment & Penetration (VAPT) Engineer to lead and perform technical security testing of the firms enterprise applications, platforms, and systems. This role is a critical part of the global cybersecurity function, ensuring that vulnerabilities are identified, reported, and addressed in a timely, risk-informed manner. The successful candidate will bring deep expertise in web application penetration testing, mastery of common VAPT tools, and the ability to communicate technical findings effectively to both technical and non-technical audiences.

Key Responsibilities:

• Conduct manual and automated penetration tests on web applications, cloud platforms, APIs, and internal systems.
• Identify, assess, and document security vulnerabilities, working closely with application and infrastructure teams to validate and prioritize remediation.
• Serve as a subject matter expert (SME) for the firms VAPT function, contributing to strategy, standards, and testing methodologies.
• Manage and maintain key VAPT tools and platforms (e.g., Burp Suite, AppScan, Nessus, Nipper, Trustwave).
• Deliver clear, well-structured reports that include actionable recommendations aligned with security best practices and risk management principles.
• Collaborate with internal stakeholders across IT, DevOps, and InfoSec teams to enhance secure development practices and build threat awareness.
• Stay current on emerging security threats, techniques, and tools to continuously improve VAPT effectiveness.

Qualifications:

• At least 5 years of hands-on experience in web application penetration testing and vulnerability assessments in large-scale enterprise environments.
• Proven experience using at least two of the following tools: Burp Suite, AppScan, Nessus, Nipper, Trustwave(strong preference for Burp Suite and AppScan).
• Strong knowledge of OWASP Top 10, SANS/CWE vulnerabilities, and secure coding principles.
• Deep understanding of attack vectors, threat modeling, and exploitation techniques across web, API, and system layers.
• Excellent technical reporting and communication skills, with the ability to translate complex findings for business and technical audiences.

Certifications:

• Preferred: CISSP (Certified Information Systems Security Professional)
• Alternatives considered: GIAC GPEN (Penetration Tester) or GIAC GWAPT (Web Application Penetration Tester)

Preferred Skills:

• Experience in professional services or highly regulated industries (e.g., legal, finance, or healthcare).
• Familiarity with secure SDLC integration, CI/CD security testing, or DevSecOps practices is a plus.
• Ability to work across cultures and time zones in a global team environment.