Penetration Testing & Offensive Security Engineer (Web/Mobile/API)

Role Title

Penetration Testing & Offensive Security Engineer (Web/Mobile/API)

Role Purpose

Perform penetration tests on web, mobile, and API applications; configure/run DAST where needed; produce comprehensive reports; drive remediation, retest, and executive communication.

Key Responsibilities

Scoping calls; confirm timelines & prerequisites; ensure test readiness
Execute pentests with Burp Suite Pro, Invicti (support), custom scripts
Identify, exploit, document vulns with PoC; post exploitation analysis
Configure/run DAST scans; maintain test plans/scripts/reports
Prepare detailed technical & executive reports (Client format); walkthrough with app teams Create Jira tickets; validate fixes; retest; close with evidence
Upload reports to Apiiro; manage findings lifecycle and SLAs.

Required Skills & Experience

6 to 8+ years in offensive security/VAPT; tools: Burp Suite Pro, Invicti, OWASP tooling; API testing (Postman); strong reporting & stakeholder communication; familiarity with OWASP ASVS/MASVS, OWASP Top 10.

Shift Coverage

Business hours + on call for P1 exploit confirmations and go live risk decisions; weekend windows per release calendar.

Systems Access & Request Process

Burp Suite: License via Jira; Offensive Security Lead approval. Invicti: Tester role per engagement; time boxed access. Apiiro & Jira: Upload/report permissions; project level access; audit trails retained.

Primary Tools

Burp Suite Pro, Invicti, Apiiro ASPM, Jira, OWASP tools (ZAP etc.), Postman.

Keywords

Penetration Testing, Offensive Security Engineer, VAPT, Web Application Pentesting, Mobile Application Pentesting, API Security Testing, Burp Suite Pro, Invicti, OWASP ZAP, DAST, Dynamic Application Security Testing, Vulnerability Assessment, Exploitation, Proof of Concept (PoC), Post-Exploitation Analysis, Custom Security Scripts, API Testing, Postman, OWASP Top 10, OWASP ASVS, OWASP MASVS, Secure Coding Validation, Vulnerability Reporting, Executive Security Reports, Technical Reporting, Remediation Validation, Retesting, Jira, Apiiro ASPM, Findings Lifecycle Management, SLA Management, Risk Acceptance, Go-Live Security Reviews, P1 Vulnerabilities, On-Call Support, Release Security