Penetration Testing Lead

• Lead and perform end-to-end penetration tests for web, mobile, cloud and API applications, including dynamic testing, exploitation, and validation of fixes.
• Plan, execute, and author high-quality pen test reports with actionable remediation steps, risk ratings, and retest guidance.
• Perform architecture and design reviews from a runtime/attack-surface perspective to inform pentest scope and high-risk areas.
• Execute dynamic application security testing (DAST) and manual verificationfocusing on runtime attack vectors and exploitability.
• Use manual testing techniques (logic flaws, business logic abuse, chained vulnerabilities) beyond automated scan coverage.
• Utilize and maintain a toolkit of offensive security tools (Burp Suite Pro, OWASP ZAP, intercepting proxies, fuzzers, scanners, Nmap, etc.).
• Conduct vendor / third-party application penetration assessments and evaluate external integrations.
• Drive remediation by working closely with developers, architects, and product teams; prioritize vulnerabilities and define risk-based SLAs for closure.
• Mentor and guide junior pentesters on methodology, reporting standards, and advanced exploitation techniques.
• Communicate findings clearly to technical and non-technical stakeholders, present executive summaries for leadership.
• Maintain knowledge of emerging attack techniques, tooling, and application-level threats; adapt test methodologies accordingly.
• Technical Expertise
• Deep, hands-on experience in manual penetration testing for web, mobile, and API applications.
• Proficient with dynamic testing methodologies and tools (Burp Suite, OWASP ZAP, proxies, fuzzers, etc.).
• Strong knowledge of common and advanced application attack vectors (OWASP Top 10, WASC, CWE), exploitation paths, and mitigations.
• Proven experience testing applications built on Java/J2EE, .NET, Python, PHP, JavaScript stacks and modern frameworks.
• Solid understanding of HTTP/HTTPS, SSL/TLS, OAuth, SAML, session management, and authentication flows.
• Familiarity with network-level reconnaissance and tooling (Nmap, Nikto) as applied to application assessments.
• Experience assessing mobile apps (iOS/Android) and APIs (REST, GraphQL) for logic and security flaws.
• Knowledge of cloud-hosted application environments (AWS/Azure/GCP) as it relates to attack surface and test planning.
• Strong scripting skills for custom exploit development and automation (Python, Bash, or similar).

Preferred Qualifications

• Certifications:

  OSCP (Mandatory),

  OSWE, GPEN, GWAPT, ECSA, LPT, or equivalent.
• Experience with red-team style assessments or advanced chained-exploit scenarios.
• Familiarity with pentest orchestration and scheduling in CI/CD environments (scan runners, automation, retest workflows).
• Prior experience in regulated industries (BFSI, healthcare, etc.) or client-facing consulting engagements is a plus.

  Role & responsibilities

Preferred candidate profile