- **Title:** Security Assessment Engineer (Offensive Security) \- Network / Web / OT
- **Location:** Chennai, India
- **Experience:** 2–5 years in hands\-on offensive security
- **Employment type:** Full\-time
- **Travel:** Required \- on\-site and OT engagements at client locations.
- **Certification:** At least one security certification is mandatory (see Requirements)
We are building a team of genuine hackers \- not button\-pushers. You will perform network, web application, and OT/ICS security assessments by thinking and acting like a real adversary. The work goes far beyond running a scanner and exporting a report: we expect manual exploitation, creative vulnerability chaining, lateral movement, and clear demonstration of business impact.
These are not checkbox audits. Our engagements span demanding enterprise and critical environments, and every assessment is approached from an attacker's perspective. If a hard target genuinely excites you and you would rather spend an afternoon understanding a system deeply than fire off automated tooling you will fit right in. The work is varied, technically interesting, and intentionally challenging.
- *What You'll DoNetwork Security Assessment**
- Perform internal and external network penetration tests with a strong emphasis on manual exploitation over tool output.
- Conduct enumeration, exploitation, privilege escalation, and lateral movement across Windows and Linux environments.
- Assess Active Directory environments \- kerberoasting, delegation abuse, ADCS/certificate attacks, trust abuse, and credential\-based pivoting.
- Demonstrate realistic attack paths from initial foothold to domain or environment compromise.
- *Web Application Security Assessment**
- Test web and API targets manually against and beyond the OWASP Top 10 \- authentication and authorization flaws, business\-logic abuse, injection, SSRF, deserialization, and access\-control issues.
- Identify vulnerabilities that automated scanners routinely miss, and validate exploitability with proof\-of\-concept evidence.
- Chain lower\-severity findings into high\-impact exploitation scenarios.
- *OT / ICS Security Assessment**
- Safely assess operational technology, SCADA, and ICS environments where availability and system fragility are critical constraints.
- Understand industrial protocols and architectures (e.g., Modbus, DNP3, Purdue model segmentation) and the IT/OT boundary.
- Apply a careful, risk\-aware testing approach appropriate to production and safety\-critical systems.
- *Across All Engagements**
- Approach every assessment from a true attacker's mindset rather than a compliance checklist.
- Chain vulnerabilities into realistic, end\-to\-end attack narratives instead of reporting isolated tool findings.
- Write clear, evidence\-backed reports that articulate real\-world risk, reproducible exploitation steps, and practical remediation guidance.
- Present findings to technical and non\-technical stakeholders, including client leadership.
- Travel to client sites for on\-premise, network, and OT assessments as required.
- *What We're Looking ForMust\-Have**
- 2–5 years of hands\-on offensive security experience (penetration testing, red teaming, or equivalent).
- A demonstrable hacker mindset evidenced through **CTF participation, bug bounty findings, or cybersecurity hackathons** \- security\-focused competitions, not only software\-development ones.
- **At least one security certification is mandatory.** Entry\-level credentials such as **CEH** or **eJPT** are acceptable; advanced certifications are a strong plus.
- Strong manual testing ability \- you can find and exploit issues that a tool would never surface.
- Solid understanding of networking fundamentals, web technologies, operating systems, and common vulnerability classes.
- Ability to operate carefully and responsibly in sensitive or production environments.
- Willingness and readiness to travel for audits.
- Clear written and verbal communication for reporting and client interaction.
- OT/ICS or SCADA security exposure.
- Advanced or multiple certifications beyond the mandatory minimum \- e.g., **OSCP, OSWE, OSEP, CRTP, GICSP, GXPN, OSCE3**, or similar.
- Public CTF profiles, bug bounty rankings (HackerOne / Bugcrowd / Intigriti), published writeups, CVEs, or original research.
- Scripting/automation ability (Python, Bash, PowerShell) to build custom tooling and exploits.
- Familiarity with cloud security assessment (AWS / Azure / GCP).
- Experience presenting at or contributing to the security community (talks, tool releases, open\-source).
Pay: ₹30,000\.00 \- ₹35,000\.00 per month
Work Location: In person