L3 – Web Application Firewall Lead (Cloudflare WAF)

Hi, We have 5 open positions for the below role in Mumbai, Secondary location is Pune. Interested candidates can email their updated profiles to [HIDDEN TEXT] alongwith the following details: Current CTC, Expected CTC, Notice period, Preferred location: Mumbai / Pune

L3 Web Application Firewall Lead (Cloudflare WAF)

Job Summary:

ITCI Cyber Security team is looking for the role who is operational excellence and strategic configuration of Cloudflare WAF, focused on protecting public-facing web assets. The individual will ensure accurate ruleset deployment, threat intelligence tuning, and real-time attack mitigation. Additionally, the role requires extensive engagement with application owners and dev teams to fine-tune security without compromising performance.

Key Responsibilities:

• Manage Cloudflare WAF policies and rulesets to protect financial web apps from OWASP Top 10 threats and zero-day exploits.
• Oversee rule tuning, false positive management, and configuration of Bot Mitigation, Rate Limiting, and DDoS Protection.
• Participate in vulnerability remediation cycles, ensuring virtual patching through WAF policies.
• Conduct monthly policy reviews, perform simulated attacks for resilience validation, and apply version updates as needed.
• Document all policy configurations, rationales, and threat detection results for audit and governance.
• Work with developers and AppSec teams to align WAF policies with application behaviour and threat models.
• Troubleshoot web traffic issues, SSL certificate renewals, and secure CDN operations.
• Provide architectural input on securing new applications and APIs through Cloudflare WAF.
• Support incident response activities, forensic analysis, and ensure high availability of WAF configurations.

Key Skills & Certifications:

• 8+ years in application or network security; 3+ years Cloudflare WAF experience.
• Strong hands-on with OWASP, HTTP/HTTPS protocols, TLS configurations, and Cloudflare dashboards.
• Cloudflare Certified, CEH, or OSWE preferred.
• In-depth understanding of RBI and SEBI appsec controls and web access compliance.