Role: Infosec Engineer
Exp- 1-3 years
Location: Bangalore
Job Description:
We are seeking an Application Security Engineer to perform vulnerability assessments and penetration testing on web integrations, web application and mobile applications. Responsibilities include identifying security vulnerabilities, conducting secure code reviews, and ensuring compliance with OWASP, NIST, and ISO 27001 standards. The role requires expertise in manual and automated security testing using tools like Burp Suite,
Metasploit, and Kali Linux.
Key Responsibilities:
Vulnerability Assessment & Penetration Testing:
● Perform regular internal and external VAPT on infrastructure, web applications, APIs,
mobile applications, and cloud environments.
● Identify, triage, exploit security vulnerabilities through static and dynamic application
security testing (SAST/DAST) and report vulnerabilities with detailed proof-of-concept
(PoC) documentation.
● Use both automated and manual testing methodologies to uncover security weaknesses.
● Perform security-focused code reviews.
Threat Analysis & Risk Assessment:
● Conduct in-depth risk assessments of identified vulnerabilities.
● Collaborate with teams to prioritize and remediate security issues.
● Develop and maintain a vulnerability management program.
Tooling & Automation:
● Utilize open-source and commercial VAPT tools such as Burp Suite, Nessus, Nmap, Metasploit, OWASP ZAP, and others.
● Create and enhance custom scripts or tools to automate testing processes.
● Stay updated on the latest vulnerabilities, exploits, and security trends.
Reporting & Documentation:
● Prepare detailed VAPT reports with risk ratings, impact analysis, and remediation recommendations.
● Communicate findings to technical and non-technical stakeholders.
● Ensure compliance with industry standards (e.g., OWASP, CIS, NIST) and regulatory
requirements. Collaboration & Continuous Improvement:
● Work closely with DevOps, IT, and engineering teams to address security gaps.
● Assist teams in reproducing, triaging and addressing application security vulnerabilities.
● Work closely with developers to integrate security into the software development lifecycle, providing guidance on secure coding practices.
● Contribute to security awareness programs by sharing insights from VAPT exercises.
● Support red team/blue team exercises, if applicable.
Required Skills
● Strong hands-on experience with VAPT tools (e.g., Nessus, OpenVAS, Qualys, Burp Suite, Metasploit, Nmap, etc.).
● Proficiency in identifying and exploiting vulnerabilities (SQLi, XSS, RCE, SSRF, IDOR, etc.).
● Ability to perform threat modeling to identify potential security threats and design effective countermeasures.
● Knowledge of secure coding practices and SDLC integration.
● Experience with cloud security testing (AWS, Azure, GCP).
● Familiarity with scripting languages (Python, Bash, PowerShell) for automation.
● Understanding of common security frameworks (OWASP, MITRE ATT&CK, NIST).
● Strong analytical and problem-solving skills.
● Having experience in the security domain for 1-3 years
Preferred Qualifications:
● Certifications: OSCP, CEH, GPEN, eCPPT, or equivalent.
● Experience with container and Kubernetes security testing.
● Knowledge of WAF bypass techniques and post-exploitation tactics.
● Experience with CI/CD pipeline security testing
Information Security Engineer (InCred Grade - Assistant Manager)-3+ years
Job Description
Key Areas: ISO 27001, security governance, evaluating and implementing security tools (SIEM, DLP, endpoint protection), security reviews and assessment, preparation of security checklist, security awareness/phishing simulation, cloud security, Application security.
Certifications: good to have - ISO 27001, CISM, or CISSP ( Not Mandatory )
Experience
Skills:
Interview evaluation parameters:
Round | Focus Area | Topics/Questions | Evaluation Criteria |
Round 1 | Fundamentals & Knowledge-Based Interview | ||
Information Security Knowledge | - Define information security and its principles (Confidentiality, Integrity, Availability). - Explain common threats & vulnerabilities (OWASP Top 10). - Knowledge of Governance security protocols. - Familiarity with regulatory standards like ISO 27001, GDPR, NIST etc - Familiarity with Indian regulatory standards of RBI , SEBI , NSE, BSE, CDSL | - Depth of knowledge in information security principles. - Ability to apply security concepts to real-world scenarios. - Familiarity with tools & protocols. | |
Risk Management & Frameworks | - Explain the risk management process (Identify, Assess, Mitigate, Monitor). - Familiarity with risk identification process. - Risk assessment for a critical environments. - Ability to idenitify risks and prepare risk register from stratch | - Understanding of risk management lifecycle. - Experience with risk assessments. - Ability to prioritize and mitigate risks. | |
Vendor risk Management | - How do you assess and mitigate risks associated with third-party vendors? - Steps for conducting vendor security assessments. - Managing vendor compliance (e.g., SOC 2, ISO 27001). | - Understanding of third-party risk management. - Ability to evaluate vendor security and compliance. - Knowledge of vendor legal contracts and SLAs. | |
Security Controls & Policies | - How to develop, create and enforce security policies. - User access control management in an organization. - Monitoring security controls. -Ability to identify gaps and provide resolution from an information security pov | - Ability to create and enforce security policies. - Knowledge of access control and continuous monitoring techniques. | |
Practical Scenario | - Scenario: Assess the security compliance of an organization, identify gaps, and suggest improvements. - Risk assessment scenario for a cloud-based application/new products of fintech . - How do you achieve ISO 27001 certification for an org with limited scope - Past experience of handling critical situations in the org | - Problem-solving approach to security compliance. - Clear understanding of risk analysis and mitigation. | |
Round 2 | Behavioral & Problem-Solving Interview | ||
Behavioral Questions | - Describe a time managing a complex Information security risk. - Experience with security compliance audits. -Ability to handle questions with pressure | - Ability to articulate past experiences. - Leadership and persuasion skills. - Experience in real-world GRC challenges. | |
Team Collaboration & Communication | - How do you collaborate with IT, legal, and operations for policy implementation? - Educating non-technical teams about security risks. | - Communication skills with technical/non-technical teams. - Teamwork and cross-functional collaboration. | |
Handling Challenging Scenarios | - How to prioritize security tasks with limited resources. - Resistance to implementing security controls. - Managing security breaches or compliance incidents. | - Critical thinking under pressure. - Ability to prioritize tasks in challenging situations. - Problem-solving during incidents. | |
Ethical Decision Making | - Example of making an ethical decision related to security/risk in the org. - Balancing security and business objectives. | - Ethical decision-making and judgment. - Ability to align security with organizational goals. | |
Critical Thinking & Problem Solving | - Scenario: Finding a critical security vulnerability in a vendor’s system. - Handling conflicting priorities between risk mitigation and business agility. | - Analytical and problem-solving skills. - Ability to handle conflicts and prioritize appropriately. |