VAPT Engineer

5 days ago

Peshawar, Khyber Pakhtunkhwa, Pakistan GlowBug Technologies Full time 1,200,000 - 2,400,000 per year

Location:
Onsite- Peshawar

Experience:
5+ Years

Employment Type
: Project Based (2 Months Engagement)

About the Role

We are looking for an experienced VAPT Engineer with deep expertise in application, network, and infrastructure security testing. The selected professional will conduct comprehensive vulnerability assessments, penetration testing, and secure source code reviews aligned with ISO 27001, NIST, and OWASP Top 10 standards.

The role requires proficiency in both automated and manual testing techniques, extensive knowledge of secure development practices, and the ability to translate technical findings into actionable remediation steps.

Key Responsibilities

  • Conduct internal and external Vulnerability Assessment and Penetration Testing (VAPT) of network, web, and application layers.
  • Perform detailed source code reviews for applications (including the Plot Management System - PMS) to identify security weaknesses.
  • Execute penetration testing across LAN, WAN, VPN, and perimeter defenses (e.g Fortinet and Sangfor firewalls).
  • Assess Active Directory configurations, access controls, and network segmentation.
  • Conduct web application and API testing using automated scanners and manual exploitation techniques.
  • Develop and document exploit proof-of-concepts (PoCs) for confirmed vulnerabilities.
  • Evaluate the security of Hyper-Converged Infrastructure (HCI), routers, switches, and wireless networks.
  • Recommend and assist with remediation strategies for identified vulnerabilities.
  • Prepare detailed technical reports and executive summaries highlighting severity levels, risk rankings, and mitigation steps.
  • Collaborate with development and IT teams to revalidate vulnerabilities post-remediation.
  • Deliver awareness sessions on secure coding and network hardening for technical staff.
  • Ensure compliance with NIST CSF, ISO/IEC 27001, and OWASP best practices.

Ideal Candidate Profile

  • 5+ years of practical experience in Vulnerability Assessment, Penetration Testing (VAPT), and Secure Code Review.
  • Proven experience conducting application, web, API, and infrastructure-level testing in compliance with OWASP, NIST, and ISO 27001 standards.
  • Proficiency with automated and manual security testing tools, including:

Open-source tools such as Nmap, Nikto, Metasploit, Burp Suite, OWASP ZAP, and Wireshark.

Commercial tools such as Invicti (Acunetix/Netsparker), Nessus, OpenVAS, and AppScan.

  • Strong ability to analyze, exploit, and document vulnerabilities with clear remediation strategies.
  • Experience performing source code reviews for multiple programming languages (PHP, .NET, Java, , etc.).
  • Familiarity with SAST, DAST, and SCA tools (e.g., Checkmarx, SonarQube, Veracode, Fortify, Black Duck).
  • Exposure to DevSecOps environments and integration of security testing into CI/CD pipelines.
  • Excellent reporting and communication skills, including the ability to present findings to technical and non-technical stakeholders.
  • Strong understanding of network configurations, firewall policies, and access control mechanisms.

Required Skills & Tools

Network & Infrastructure Security

  • Strong understanding of TCP/IP, VLANs, VPNs, DNS, firewalls, and access control lists (ACLs).
  • Experience with network and perimeter device security assessment.
  • Familiarity with tools like:

o  Nmap, Nessus, OpenVAS, Nexpose, Wireshark, Burp Suite, Metasploit, Hydra, and Nikto.

o  Device assessment and configuration validation (such as Fortinet, Cisco, and Sangfor etc).

Application & Web Security

  • Hands-on experience with OWASP Top 10 and SANS 25 vulnerabilities.
  • Proficiency in:

o  Burp Suite Pro, OWASP ZAP, Acunetix, AppScan, Netsparker/Invicti, and Postman for API testing.

o  Manual testing of SQLi, XSS, IDOR, CSRF, RCE, and authentication flaws.

o  Secure Code Review for PHP, .NET, Java, and environments.

Source Code Review & DevSecOps

  • Familiarity with SAST tools (Checkmarx, SonarQube, Veracode, Fortify).
  • Understanding of CI/CD pipeline security integration.
  • Knowledge of secure SDLC (SSDLC) implementation.

Compliance & Reporting

  • Awareness of ISO 27001, NIST, and PCI DSS compliance.
  • Ability to map vulnerabilities to CVSS v3.1 and generate detailed risk reports.
  • Proficiency in Microsoft Excel/Word/PowerPoint for report formatting.

Qualifications

  • Bachelor's/Master's Degree in Computer Science, Information Security, or related field.
  • 5–7 years of experience in cybersecurity with a focus on VAPT and secure code review.
  • Hands-on experience performing enterprise-grade audits for networks, applications, and HCI environments.

Certifications

  • Certified Ethical Hacker (CEH v12 or above) – Preferred
  • Offensive Security Certified Professional (OSCP) – Highly Preferred
  • Certified Hacking Forensic Investigator (CHFI) – Preferred
  • Licensed Penetration Tester (LPT) – Preferred
  • ISO/IEC 27001 Lead Implementer or Auditor – Desirable

Nice to Have

  • Experience in threat modelling and security architecture review.
  • Knowledge of Active Directory exploitation and PowerShell-based enumeration.
  • Familiarity with container and cloud security (AWS, Azure).
  • Ability to deliver technical awareness sessions and client presentations.

Why Work with Us

  • Be part of a fast-growing tech team redefining digital security and cloud innovation.
  • Competitive compensation with performance-based incentives.
  • Dynamic and empowering culture that supports professional growth.