Ethical Hacker / Application Security Expert - Red Team

Job Title: Application Security Expert - Red Team / Ethical Hacker Department: Information Security / Cybersecurity Reports To: Group CISO Job Summary: The Application Security Expert - Red Team / Ethical Hacker is a critical role responsible for proactively identifying and exploiting security vulnerabilities in our software applications throughout the entire Software Development Life Cycle (SDLC). Operating as a key member of the in-house Red Team, this role will focus on simulating real-world attacks, conducting advanced penetration testing, and providing actionable intelligence to strengthen our overall security posture. Responsibilities: • Red Teaming & Attack Simulation: • Plan and execute realistic attack simulations against our web, mobile, and desktop applications to identify weaknesses and bypass security controls. • Develop and utilize custom exploits, tools, and techniques to mimic the tactics, techniques, and procedures (TTPs) of advanced threat actors. • Conduct social engineering campaigns to assess employee awareness and identify potential vulnerabilities. • Advanced Penetration Testing: • Perform in-depth penetration tests of applications, networks, and systems, using both automated tools and manual techniques. • Identify and exploit complex vulnerabilities, including those related to application logic, authentication, authorization, and data handling. • Develop detailed penetration test reports with clear and actionable recommendations for remediation. • Secure Code Review (Offensive Perspective): • Conduct code reviews from an offensive perspective, identifying potential vulnerabilities that could be exploited by attackers. • Provide developers with guidance on secure coding practices and vulnerability remediation techniques. • Develop and maintain secure coding guidelines and checklists. • Vulnerability Research & Exploit Development: • Stay up-to-date on the latest security threats, vulnerabilities, and exploit techniques. • Conduct vulnerability research to identify new and emerging threats. • Develop custom exploits and tools to test and demonstrate the impact of vulnerabilities. • SDLC Integration & Security Advocacy: • Collaborate with development teams to integrate security testing and red teaming activities into the SDLC. • Participate in design reviews and provide security guidance on application architecture and design. • Promote a security-conscious culture within the development organization. • Vulnerability Management (Validation & Verification): • Validate and verify the effectiveness of vulnerability remediation efforts. • Retest remediated vulnerabilities to ensure they have been properly addressed. • Security Tooling & Automation (Offensive Tools): • Evaluate, recommend, and customize offensive security tools and technologies. • Automate red teaming and penetration testing processes to improve efficiency and coverage. • Required Skills and Qualifications: Education: • * Bachelor's or Master's degree in Computer Science, Information Security, or a related field. Experience: • * 8+ years of experience in application security, penetration testing, red teaming, or a related field. • Demonstrable experience conducting advanced penetration tests and red team engagements. • Strong understanding of web application vulnerabilities (e.g., OWASP Top 10, SANS Top 25). • Experience with various penetration testing tools and frameworks (e.g., Metasploit, Burp Suite, Kali Linux). • Experience with exploit development and reverse engineering. • Technical Skills: • Expert proficiency in one or more programming languages (e.g., Python, Java, C, C++). • Strong understanding of web application architectures and technologies. • Deep understanding of network protocols and security concepts. • Familiarity with cloud security principles and practices (e.g., AWS, Azure, GCP). • Understanding of authentication and authorization mechanisms. • Certifications (Required/Preferred): • Offensive Security Certified Professional (OSCP) - Required • Certified Ethical Hacker (CEH) - Preferred • GIAC Web Application Penetration Tester (GWAPT) - Preferred • Offensive Security Certified Expert (OSCE) - Highly Preferred • Offensive Security Web Expert (OSWE) - Highly Preferred