Job
Description
Key Responsibilities Penetration Testing (Primary Focus): Perform manual and automated penetration testing on web applications, APIs, infrastructure, and cloud-hosted environments. Conduct red team/purple team exercises to simulate advanced threat actor behavior using frameworks like MITRE ATT&CK. Identify security flaws, misconfigurations, and business logic vulnerabilities across hybrid and cloud environments. Use tools such as Burp Suite, Nmap, Metasploit, Cobalt Strike, and custom scripts to simulate attacks. Provide detailed reports with risk ratings, technical impact, and remediation recommendations. Collaborate with DevOps and application teams to validate, reproduce, and remediate identified issues. Continuously research and adopt emerging offensive techniques, vulnerabilities, and toolsets. Cloud Security (Secondary but Required): Assess cloud environments (Azure, AWS, GCP) for security weaknesses, including exposed services, misconfigured IAM, and insecure storage. Assist in secure design reviews and threat modeling for cloud-native workloads. Use tools like Microsoft Defender for Cloud, Prisma Cloud, Wiz, or ScoutSuite to identify misconfigurations. Automate detection of insecure infrastructure via Infrastructure-as-Code (Terraform, Bicep, etc.). Support incident response activities related to cloud-based threats and unauthorized access. Compliance and Governance Support: Understand and apply security testing methods aligned with: HIPAA (for healthcare application testing), PCI-DSS (for applications storing/processing cardholder data), and NESA (UAE-specific cybersecurity baseline). Participate in security audits and assessments by providing technical evidence and findings. Maintain documentation for vulnerability management, security testing scope, and remediation tracking. Required Skills and Experience 2+ years of hands-on experience in penetration testing and offensive security engagements. Deep understanding of application security testing, OWASP Top 10, and real-world exploit techniques. Experience testing cloud workloads (Azure, AWS, or GCP) from an attacker's perspective. Familiarity with red/purple teaming, lateral movement, privilege escalation, and post-exploitation techniques. Strong proficiency with tools like Burp Suite Pro, Nmap, Metasploit, Cobalt Strike, etc. Scripting experience with Python, PowerShell, or Bash to develop custom tools and automate testing. Exposure to SIEM, CSPM, and EDR platforms for identifying and responding to test detections. Preferred Certifications (Offensive & Cloud Focused) Penetration Testing / Offensive Security: OSCP (Offensive Security Certified Professional) OSEP / OSCE / GPEN / GWAPT / CRTO CEH (Certified Ethical Hacker – practical) Cloud Security (Supplementary): Microsoft Certified: Azure Security Engineer Associate AWS Certified Security – Specialty Google Cloud Professional Security Engineer Compliance (Optional but Useful): CISSP, CCSP, or CISM Certified HIPAA Professional (CHP), PCI ISA Familiarity with UAE’s NESA compliance standards Show more Show less
