Role: Infosec Engineer
Exp- 1-3 years
Location: Bangalore
Job Description:
We are seeking an Application Security Engineer to perform vulnerability assessments and penetration testing on web integrations, web application and mobile applications. Responsibilities include identifying security vulnerabilities, conducting secure code reviews, and ensuring compliance with OWASP, NIST, and ISO 27001 standards. The role requires expertise in manual and automated security testing using tools like Burp Suite,
Metasploit, and Kali Linux.
Key Responsibilities:
Vulnerability Assessment & Penetration Testing:
● Perform regular internal and external VAPT on infrastructure, web applications, APIs,
mobile applications, and cloud environments.
● Identify, triage, exploit security vulnerabilities through static and dynamic application
security testing (SAST/DAST) and report vulnerabilities with detailed proof-of-concept
(PoC) documentation.
● Use both automated and manual testing methodologies to uncover security weaknesses.
● Perform security-focused code reviews.
Threat Analysis & Risk Assessment:
● Conduct in-depth risk assessments of identified vulnerabilities.
● Collaborate with teams to prioritize and remediate security issues.
● Develop and maintain a vulnerability management program.
Tooling & Automation:
● Utilize open-source and commercial VAPT tools such as Burp Suite, Nessus, Nmap, Metasploit, OWASP ZAP, and others.
● Create and enhance custom scripts or tools to automate testing processes.
● Stay updated on the latest vulnerabilities, exploits, and security trends.
Reporting & Documentation:
● Prepare detailed VAPT reports with risk ratings, impact analysis, and remediation recommendations.
● Communicate findings to technical and non-technical stakeholders.
● Ensure compliance with industry standards (e.g., OWASP, CIS, NIST) and regulatory
requirements. Collaboration & Continuous Improvement:
● Work closely with DevOps, IT, and engineering teams to address security gaps.
● Assist teams in reproducing, triaging and addressing application security vulnerabilities.
● Work closely with developers to integrate security into the software development lifecycle, providing guidance on secure coding practices.
● Contribute to security awareness programs by sharing insights from VAPT exercises.
● Support red team/blue team exercises, if applicable.
Required Skills
● Strong hands-on experience with VAPT tools (e.g., Nessus, OpenVAS, Qualys, Burp Suite, Metasploit, Nmap, etc.).
● Proficiency in identifying and exploiting vulnerabilities (SQLi, XSS, RCE, SSRF, IDOR, etc.).
● Ability to perform threat modeling to identify potential security threats and design effective countermeasures.
● Knowledge of secure coding practices and SDLC integration.
● Experience with cloud security testing (AWS, Azure, GCP).
● Familiarity with scripting languages (Python, Bash, PowerShell) for automation.
● Understanding of common security frameworks (OWASP, MITRE ATT&CK, NIST).
● Strong analytical and problem-solving skills.
● Having experience in the security domain for 1-3 years
Preferred Qualifications:
● Certifications: OSCP, CEH, GPEN, eCPPT, or equivalent.
● Experience with container and Kubernetes security testing.
● Knowledge of WAF bypass techniques and post-exploitation tactics.
● Experience with CI/CD pipeline security testing
Information Security Engineer (InCred Grade - Assistant Manager)-3+ years
Job Description
- Evaluating, Testing, and integrating security tools, standards, and associated processes as per the security framework.
- Assist in creating and managing the framework for Information Security in alignment with industry best practices (ISO 27001)
- Improve the cyber security program governance processes including cyber security risk reporting (recommending new report formats, reporting technologies and collaborating with team members to build-out reports/dashboards) and governance committee
- Develop of cyber security standards, including incorporating industry practices and applicable compliance requirements
- Monitor and report compliance with cyber security standards and security rules of relevant cyber security and regulatory privacy requirements
- Improving and supporting application security tool deployments including static analysis and runtime testing tools.
- Create and manage process to guide development and testing teams on proactively finding application security risks
- Improving and maintaining secure development standards.
- Supporting the application architecture/design review processes whenever application security expertise is needed.
- Oversee and improve third-party information security risk management programs to assess risks associated with the usage of third-parties/vendors. Assist in 3rd party security due-diligence reviews
- Conduct periodic penetration testing services of application and related infrastructure. Closure of open risks by actively following-up with stakeholders.
- Assess application, design threat models, risk, document potential risk vectors, recommend relative controls and ensure risk is addressed
- Maintain security risk register to track the identified risks and produce metrics to report the state of application security program and risk status.
- Additional responsibilities to this role include:
- Recommend cybersecurity assessment methodology and support purple team exercises when required
- Assessing cloud security risk (AWS, Google, and Azure) and recommending appropriate security controls
- Assist in imparting security awareness training and executing phishing simulation exercises to employees.
- Track and report security metrics to higher management on a regular basis
- Define hardening standard for various technology and assess compliance levels
- Identify, prioritize, and track security incidents and manage related platforms such as SIEM, DLP, EDR and other security tools
- Provide clear communication on the issue to application owners and verify the efficacy of vulnerability remediation
- Should have ability to drive VAPT engagements end to end for Web, Mobile and Infra with Internal stakeholders and external agencies if required
- Basic understanding of regulatory requirements of Indian Fintech ecosystem like RBI, SEBI, NSE, BSE others
Key Areas: ISO 27001, security governance, evaluating and implementing security tools (SIEM, DLP, endpoint protection), security reviews and assessment, preparation of security checklist, security awareness/phishing simulation, cloud security, Application security.
Certifications: good to have - ISO 27001, CISM, or CISSP ( Not Mandatory )
Experience
- Should have 3+ years of experience in the information security domain
- Must have sound knowledge in security vulnerabilities, remediation and mitigation techniques.
- Ability to document and explain technical details in a concise & understandable manner
- Industry recognized certificates relevant to the roles such as CISM, CISSP, CISA, ISO 27001 are desired
- Ability to lead complex, cross-functional projects, and problem-solving initiatives.
- Passionate about information security and update knowledge on daily basis to support the organization
- Candidates must have excellent verbal and written communication skills
- Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, to concerned stakeholders and discuss effective defensive techniques.
- Familiarity with industry standards and regulations including PCI, ISO27001, CIS, NIST is desired.
- Good understanding of the Docker, Kubernetes, and security models
- Fair understanding of public cloud models (e.g. AWS, Google, Microsoft Azure) and their security implications
Skills:
- Candidate should be a good team player
- Should have good interpersonal skills
- Good written communication skills including ability to develop process documentation and security guidelines.
- Ability to apply critical thinking and logic to a wide range of intellectual and practical problems
- Ability to maintain composure under pressure and work calmly during an emergency
- Ability to manage multiple tasks and schedules
Interview evaluation parameters:
Round | Focus Area | Topics/Questions | Evaluation Criteria |
Round 1 | Fundamentals & Knowledge-Based Interview | ||
Information Security Knowledge | - Define information security and its principles (Confidentiality, Integrity, Availability). - Explain common threats & vulnerabilities (OWASP Top 10). - Knowledge of Governance security protocols. - Familiarity with regulatory standards like ISO 27001, GDPR, NIST etc - Familiarity with Indian regulatory standards of RBI , SEBI , NSE, BSE, CDSL | - Depth of knowledge in information security principles. - Ability to apply security concepts to real-world scenarios. - Familiarity with tools & protocols. | |
Risk Management & Frameworks | - Explain the risk management process (Identify, Assess, Mitigate, Monitor). - Familiarity with risk identification process. - Risk assessment for a critical environments. - Ability to idenitify risks and prepare risk register from stratch | - Understanding of risk management lifecycle. - Experience with risk assessments. - Ability to prioritize and mitigate risks. | |
Vendor risk Management | - How do you assess and mitigate risks associated with third-party vendors? - Steps for conducting vendor security assessments. - Managing vendor compliance (e.g., SOC 2, ISO 27001). | - Understanding of third-party risk management. - Ability to evaluate vendor security and compliance. - Knowledge of vendor legal contracts and SLAs. | |
Security Controls & Policies | - How to develop, create and enforce security policies. - User access control management in an organization. - Monitoring security controls. -Ability to identify gaps and provide resolution from an information security pov | - Ability to create and enforce security policies. - Knowledge of access control and continuous monitoring techniques. | |
Practical Scenario | - Scenario: Assess the security compliance of an organization, identify gaps, and suggest improvements. - Risk assessment scenario for a cloud-based application/new products of fintech . - How do you achieve ISO 27001 certification for an org with limited scope - Past experience of handling critical situations in the org | - Problem-solving approach to security compliance. - Clear understanding of risk analysis and mitigation. | |
Round 2 | Behavioral & Problem-Solving Interview | ||
Behavioral Questions | - Describe a time managing a complex Information security risk. - Experience with security compliance audits. -Ability to handle questions with pressure | - Ability to articulate past experiences. - Leadership and persuasion skills. - Experience in real-world GRC challenges. | |
Team Collaboration & Communication | - How do you collaborate with IT, legal, and operations for policy implementation? - Educating non-technical teams about security risks. | - Communication skills with technical/non-technical teams. - Teamwork and cross-functional collaboration. | |
Handling Challenging Scenarios | - How to prioritize security tasks with limited resources. - Resistance to implementing security controls. - Managing security breaches or compliance incidents. | - Critical thinking under pressure. - Ability to prioritize tasks in challenging situations. - Problem-solving during incidents. | |
Ethical Decision Making | - Example of making an ethical decision related to security/risk in the org. - Balancing security and business objectives. | - Ethical decision-making and judgment. - Ability to align security with organizational goals. | |
Critical Thinking & Problem Solving | - Scenario: Finding a critical security vulnerability in a vendor’s system. - Handling conflicting priorities between risk mitigation and business agility. | - Analytical and problem-solving skills. - Ability to handle conflicts and prioritize appropriately. | |