Penetration Tester

Key Responsibilities:

Application & API Security

• Perform comprehensive Vulnerability Assessment and Penetration Testing (VAPT) of web applications, APIs, and backend services.
• Conduct manual and automated security testing to identify vulnerabilities, misconfigurations, and business logic flaws.
• Assess API security using industry standards such as OWASP API Security Top 10.
• Review and test authentication and authorization mechanisms including JWT, OAuth 2.0, OpenID Connect, and SAML.

Mobile Security (Android)

• Perform security assessments of Android mobile applications, including static and dynamic analysis.
• Identify vulnerabilities related to insecure data storage, authentication, authorization, API communication, reverse engineering, and code tampering.
• Validate security controls implemented in mobile applications and recommend remediation measures.

Cloud Security

• Conduct cloud security assessments across AWS and GCP environments.
• Review IAM configurations, VPCs, Security Groups, Storage Services (S3/GCS), Secrets Management, Logging, and Monitoring controls.
• Identify cloud misconfigurations, excessive permissions, and security gaps impacting business risk.

Security Engineering & Risk Management

• Support threat modeling exercises and secure design reviews during product development.
• Assist engineering teams in integrating security controls within Secure SDLC processes.
• Review CI/CD pipelines and recommend security improvements, including SAST, DAST, and dependency scanning practices.
• Track remediation activities and perform validation testing after fixes are implemented

Reporting & Compliance

• Prepare detailed, risk-based security assessment reports with actionable remediation recommendations.
• Collaborate closely with Engineering, Product, DevOps, and Infrastructure teams to drive security improvements.
• Support compliance and audit initiatives including RBI guidelines, ISO 27001, and other regulatory requirements.

Required Experience

• 2–3 years of hands-on experience in Penetration Testing, Application Security, or Vulnerability Assessment.
• Demonstrated experience across:Web Application SecurityAPI Security Testing Android Mobile Application SecurityCloud Security Assessments (AWS/GCP)

Technical Skills

Security Testing

• Strong understanding of OWASP Top 10, OWASP API Security Top 10, SANS Top 25, and Secure Coding Practices.
• Experience performing manual penetration testing and security assessments.

Security Tools

Hands-on experience with:

• Burp Suite Professional
• Nmap
• Nessus
• Metasploit
• Wireshark
• SQLMap
• OWASP ZAP
• Acunetix
• Postman
• MobSF
• Frida
• Jadx
• Apktool

Cloud & DevSecOps

• Working knowledge of AWS and/or GCP security services.
• Understanding of CI/CD security practices and DevSecOps principles.
• Familiarity with container security and infrastructure security best practices.

Preferred Qualifications

• Security certifications such as CEH, eJPT, PNPT, OSCP, Security+, or relevant cloud security certifications.
• Exposure to fintech, banking, or regulated industry environments.
• Understanding of secure architecture and threat modeling methodologies.

Desired Competencies

• Strong analytical and problem-solving skills.
• Ability to assess business impact and prioritize security risks.
• Excellent communication and report-writing skills.
• Ability to explain technical security findings to non-technical stakeholders.
• Strong collaboration and stakeholder management skills.
• Detail-oriented with a proactive security mindset.