Senior VAPT Specialist

• This job description outlines the detailed technical requirements for consultants engaged in IT Infrastructure VAPT, Cloud Security VAPT & Container Security Testing.
• Candidates will be assessed and placed at appropriate levels (L1, L2, or L3) based on their expertise and experience.

Responsibilities

- Perform security assessments across IT infrastructure, cloud environments & containerized platforms.

- Conduct reconnaissance, scanning, enumeration, exploitation, and post-exploitation activities.

- Perform vulnerability scanning using tools such as Nessus, OpenVAS, Qualys, and validate findings manually.

- Conduct network penetration testing (firewalls, switches, routers, servers) and Active Directory exploitation.

- Perform web and API penetration testing using Burp Suite Pro, OWASP ZAP, SQLmap, custom scripts.

- Execute cloud security testing (AWS, Azure, GCP) focusing on IAM, storage misconfigurations, exposed services using Manual approach & automated tools like Scoutsuite, Cloudsploit, Trivy.

- Perform container and Kubernetes security testing using Trivy, Clair, Dockle, and kube-hunter.

- Develop and execute custom scripts/exploits (Python, PowerShell, Bash) where required.

- Document vulnerabilities with CVSS and EPSS scoring, proof of concept, and remediation recommendations.

- Prepare both technical reports and executive-level summaries.

- Ensure alignment with methodologies such as OWASP, PTES, OSSTMM, and MITRE ATT&CK.

- Stay updated with emerging threats, exploits, and offensive security tools.

- Collaborate with stakeholders and provide technical guidance to team members.

Required Technical Skills

- Strong understanding of networking (TCP/IP, DNS, HTTP/S, SSL/TLS, VPNs, Firewalls).

- Proficiency with penetration testing tools: Nmap, Burp Suite Pro, Metasploit, Nessus, OpenVAS, Nikto, Gobuster, Hydra.

- Familiarity with advanced Red Teaming and exploitation frameworks (Cobalt Strike, Sliver, BloodHound).

- Knowledge of cloud security testing for AWS, Azure, and GCP.

- Experience in container and Kubernetes security testing.

- Understanding of web application vulnerabilities (OWASP Top 10, API Security Top 10).

- Hands-on experience with exploitation techniques: privilege escalation, lateral movement, persistence.

- Knowledge of Active Directory attacks and defenses.

- Scripting and automation skills in Python, Bash, and PowerShell.

- Familiarity with compliance and regulatory requirements (PCI DSS, ISO 27001, NIST, CIS benchmarks).

Experience & Certifications

- Experience ranging from 5+ years in penetration testing, red teaming, or security consulting.

- Entry-level candidates should demonstrate strong fundamentals and hands-on exposure to tools.

- Mid-level candidates should demonstrate independent execution of penetration tests and technical reporting.

- Senior candidates should demonstrate leadership, strategy definition, stakeholder management, and advanced exploitation.

Preferred Certifications:

- AWS Certified Security – Specialty

- Microsoft Azure Security Engineer Associate (AZ-500)

- Google Cloud Professional Cloud Security Engineer

- Certified Cloud Security Professional (CCSP)

- Kubernetes Security: CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist)

- SANS Cloud Penetration Testing (SEC588 / SEC510) or equivalent

Additional certifications in cloud penetration testing or specialized modules are highly desirable.