Job Title: Security Vulnerability and Penetration Testing (VAPT) Engineer
Job Responsibilities:
The Security Vulnerability and Penetration Testing (VAPT) Engineer is responsible for overseeing and acting as a technical resource for all assessment activities related to the security posture of existing and proposed law firm systems, platforms, and processes. The primary goal is to protect and continually improve the confidentiality, integrity, and availability of information systems in alignment with the law firm's business objectives, regulatory requirements, and strategic goals. Key responsibilities include:
- Performing security penetration testing on the law firm’s systems, platforms, and applications.
- Serving as a Subject Matter Expert (SME) for the VAPT function.
- Acting as the system owner for common VAPT toolsets, platforms, and processes.
- Providing technical assessment reports that are comprehensible to the target audience and include practical, reasonable recommendations based on sound risk management principles.
Education and Experience Information:
The ideal candidate for the Security Vulnerability and Penetration Testing (VAPT) Engineer position should possess the following education and experience:
- A bachelor’s degree in Computer Science or substantially equivalent experience.
- CISSP certification is required.
- GIAC GPEN or GWAPT certification is preferred.
- Offensive Security OSCP certification is required.
- Commanding knowledge of VAPT concepts and best practices, including the requirements for WhiteHat/ethical hacking.
- An expert understanding of the difference between a vulnerability assessment and a penetration test regarding assessment scope, objectives, and deliverables.
- Extensive experience with common automated VAPT tools such as Nessus, Appscan, Burp Suite, Nipper, and Trustwave.
- Expertise with common attack tools and frameworks such as Wireshark, Kali, Metasploit, etc.
- Expertise with mobile platform security technology, including vulnerability identification and exploitation tools, as well as mobile platform security best practices and frameworks.
- An understanding of VAPT in the context of risk management and organizational priorities.
- A passion for the practice and pursuit of VAPT excellence.
- Ability to validate the presence of identified vulnerabilities accurately.
- Mastery of common application platforms and technologies to effectively understand and evaluate complex application assessments using manual techniques and simple tools such as proxies and browser plugins.
- Authoritative mastery of OWASP, CVE, general security controls, and other foundational topics, such as the latest application and operating system exploits.
- Expert knowledge of common scripting and programming languages is advantageous.
- Ongoing commitment to understanding the threat landscape and common adversary motivations/practices, with the ability to quickly adapt practices to evolving circumstances.
- Ability to maintain critical thinking and composure under pressure.
- Strong written and oral communication skills, with the ability to convey complex concepts to non-technical constituents. Proficiency in oral and written English is required.
- Capability to assist with the preparation of internal training materials and documentation.
- Ability to be productive and maintain focus without direct supervision.
Salary Information:
This position is bonus-eligible and includes medical, dental, vision, and 401(k) benefits based on the number of hours worked. If located in an office in one of the states listed (New York, Illinois, California, or Washington DC), the US base compensation for this position is expected to be in the range of $130,000-$150,000. Within this range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training. More specific details about the salary range for a preferred location can be shared by the recruiter during the hiring process.
