Security Engineer

The VAPT Security Engineer is responsible for assessing and enhancing the organization's security posture by conducting Vulnerability Assessments and Penetration Testing (VAPT) across infrastructure, networks, and applications (Web, Mobile, Client-Server). This role involves identifying, analyzing, and mitigating security vulnerabilities, ensuring compliance with security standards, and proactively reducing risks. The engineer will leverage security tools and methodologies, collaborate with stakeholders, and drive remediation efforts to strengthen overall security resilience.

Location: Metro Manila

Work Setup: Hybrid

Department: Technology

Security Testing & Vulnerability Assessment

Conduct regular vulnerability assessments for infrastructure, network, and application environments (Web, Mobile, Client-Server).

Perform black-box, white-box, and gray-box penetration testing to uncover security flaws.

Execute application security testing using:

• Static Application Security Testing (SAST) – for code vulnerabilities.
• Dynamic Application Security Testing (DAST) – for runtime vulnerabilities.
• Software Composition Analysis (SCA) – for open-source dependency risks.
• Interactive Application Security Testing (IAST) – combining SAST and DAST for CI/CD pipelines.

Assess wireless networks, APIs, databases, and IoT devices for security weaknesses.

Conduct penetration testing activities to identify and exploit vulnerabilities.

Serve as the point of contact for third-party VAPT assessments.

Red Teaming & Adversary Simulations

Conduct Red Team engagements to simulate real-world cyber threats and evaluate the organization's detection and response capabilities.

Perform attack simulations using MITRE ATT&CK, TTPs, and APT methodologies.

Develop and execute custom exploits, lateral movement tactics, and privilege escalation techniques.

Collaborate with Blue Team/SOC to enhance Threat Detection, Incident Response, and Cyber Resilience.

Security Tool Management & Automation

Utilize security tools such as Burp Suite, Kali, Frida, Rapid7, Nessus, Qualys, Metasploit, OWASP ZAP, Nmap, Wireshark, Checkmarx, Fortify, Acunetix.

Automate security testing in CI/CD pipelines (DevSecOps).

Maintain penetration testing frameworks and develop custom security scripts and exploits.

Incident Response & Threat Management

Support incident response by analyzing vulnerabilities exploited in real-time attacks.

Assist in forensic analysis, malware reverse engineering, and threat hunting.

Collaborate with SOC, IT, and Security Operations teams to contain, eradicate, and recover from security incidents.

Provide security recommendations and post-incident lessons to strengthen security posture.

Risk Analysis & Compliance

Identify and prioritize security vulnerabilities based on risk impact and exploitability.

Develop detailed assessment reports outlining findings, risk ratings, and remediation plans.

Ensure security testing compliance with frameworks such as ISO 27001, NIST, PCI-DSS, GDPR, MAS TRM, CIS Benchmarks.

Conduct third-party security assessments and validate vendor security compliance.

Assist in audit and compliance efforts by providing security reports and mitigation evidence.

Security Awareness & Training

Develop and deliver security awareness programs to educate employees on cybersecurity best practices.

Conduct simulated phishing campaigns and social engineering tests to assess awareness levels.

Train development and IT teams on secure coding practices, vulnerability mitigation, and security operations.

Create and distribute security bulletins, newsletters, and case studies to highlight emerging threats.

Reporting & Remediation

Develop and maintain security assessment methodologies, playbooks, and Red Team strategies.

Prepare technical and executive reports on security findings, recommendations, and mitigation strategies.

Present assessment results to senior management, security teams, and business units.

Education –  Bachelor's or Master's degree in Computer Science, Information Technology, Cybersecurity, or a related field

• Professional Certification & Licenses: CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), CRTP (Certified Red Team Professional), CMWAPT (Certified Mobile and Web Application Penetration Tester), GIAC certifications (e.g., GWAPT, GPEN), AWS/Azure/GCP Security Certifications (a strong plus)

Related Work Experience – 5+ years of experience in VAPT, penetration testing, and information security.

• Leadership experience in managing VAPT projects and security teams.
• Experience in:
• Advanced penetration testing, security control bypassing, and exploit development.
• Reverse engineering, malware analysis, threat emulation, and lateral movement.
• IT security auditing (preferred).

Knowledge –

• Network security, operating systems (Linux, Windows, RHEL), web application security.
• Security frameworks and compliance standards (ISO 27001, NIST, PCI-DSS, etc.).
• Security platforms: Crowdstrike, Splunk, Tenable, Ansible, FireEye, Imperva, Qualys, Acunetix, IBM AppScan, Deep Security.
• System administration & scripting (Bash, Python, PowerShell).
• Cloud security and DevSecOps practices.

Skills

• Strong analytical and problem-solving skills to identify and mitigate vulnerabilities.
• Excellent reporting, communication, and presentation skills to engage technical and non-technical stakeholders.