Manager VA / VAPT

**Location:*Mumbai

**Department:*Information Security

The Manager / Assistant Manager VA/VAPT will be responsible for overseeing the vulnerability assessment and penetration testing program across the organization. The role includes managing external vendors performing security testing, ensuring regulatory and internal policy compliance, handling day-to-day BAU activities, and preparing reports and dashboards for senior management and regulatory bodies.

1. Vulnerability Management & Testing Oversight

• Coordinate and manage end-to-end VA/VAPT activities conducted by external vendors.


• Review and validate test scopes, methodologies, and deliverables.


• Track remediation progress and coordinate with application/infrastructure teams for closure of findings.


• Ensure testing frequency aligns with regulatory, internal, and client requirements.


• Validate false positives and maintain quality of vulnerability reports.

2. Compliance & Regulatory Alignment

• Ensure compliance with RBI, CERT-In, PCI-DSS, and other regulatory security testing mandates.


• Maintain audit-ready evidence and documentation for all VA/VAPT-related activities.


• Support internal and external audits (including from parent company, clients, and regulators).


• Track and report on compliance posture related to vulnerability management.

3. Reporting & Metrics

• Develop and maintain vulnerability management dashboards and reports for CISO and management.


• Generate periodic risk summaries, trend analysis, and KPI/KRI reports.


• Maintain trackers for testing schedule, remediation status, and exceptions.

4. Process & Governance

• Define and continuously improve the VA/VAPT governance process, including scope definition, testing frequency, and remediation SLAs.


• Manage change requests and deviations in coordination with vendors and internal teams.


• Ensure adherence to secure SDLC principles and coordinate with DevSecOps initiatives.

5. Tools & Technical Proficiency

• Utilize and manage tools such as Qualys, OpenText Fortify, WebInspect, and Burp Suite Professional for internal scans and validation.


• Correlate and prioritize vulnerabilities based on criticality, exploitability, and asset sensitivity.


• Support automation and integration of vulnerability data into enterprise dashboards or ticketing systems.

6. Stakeholder Management

• Collaborate with IT, applications, cloud, and business teams to ensure timely risk mitigation.


• Act as primary liaison with VA/PT vendors and ensure SLA adherence.


• Present security posture updates to senior management and CISO.

Position

Experience Range

Educational Qualification

Certifications (Preferred)

Manager VA/VAPT

8 12 years total experience with 3+ years in vendor or team management

B.Tech / B.E. / M.Tech / MCA in Computer Science, IT, or related field

CEH, OSCP, CISSP, CISA, or equivalent

• Strong understanding of web, mobile, and infrastructure vulnerabilities and mitigation techniques.


• Hands-on exposure to Qualys, Fortify, WebInspect, and Burp Suite Professional.


• Familiarity with regulatory frameworks such as RBI, CERT-In, PCI-DSS, ISO 27001.


• Strong analytical, documentation, and presentation skills.


• Ability to handle multiple stakeholders and manage testing across multiple business lines.


• Good understanding of secure SDLC and DevSecOps principles.

• Excellent communication and coordination skills.


• Strong reporting and analytical mindset.


• Ability to work under pressure and manage tight timelines.


• Proven vendor and stakeholder management skills.

1. Vulnerability Management & Testing Oversight

• Coordinate and manage end-to-end VA/VAPT activities conducted by external vendors.


• Review and validate test scopes, methodologies, and deliverables.


• Track remediation progress and coordinate with application/infrastructure teams for closure of findings.


• Ensure testing frequency aligns with regulatory, internal, and client requirements.


• Validate false positives and maintain quality of vulnerability reports.

2. Compliance & Regulatory Alignment

• Ensure compliance with RBI, CERT-In, PCI-DSS, and other regulatory security testing mandates.


• Maintain audit-ready evidence and documentation for all VA/VAPT-related activities.


• Support internal and external audits (including from parent company, clients, and regulators).


• Track and report on compliance posture related to vulnerability management.

3. Reporting & Metrics

• Develop and maintain vulnerability management dashboards and reports for CISO and management.


• Generate periodic risk summaries, trend analysis, and KPI/KRI reports.


• Maintain trackers for testing schedule, remediation status, and exceptions.

4. Process & Governance

• Define and continuously improve the VA/VAPT governance process, including scope definition, testing frequency, and remediation SLAs.


• Manage change requests and deviations in coordination with vendors and internal teams.


• Ensure adherence to secure SDLC principles and coordinate with DevSecOps initiatives.

5. Tools & Technical Proficiency

• Utilize and manage tools such as Qualys, OpenText Fortify, WebInspect, and Burp Suite Professional for internal scans and validation.


• Correlate and prioritize vulnerabilities based on criticality, exploitability, and asset sensitivity.


• Support automation and integration of vulnerability data into enterprise dashboards or ticketing systems.

6. Stakeholder Management

• Collaborate with IT, applications, cloud, and business teams to ensure timely risk mitigation.


• Act as primary liaison with VA/PT vendors and ensure SLA adherence.


• Present security posture updates to senior management and CISO.