Apply now »

Job Title:  Assistant Manager | Penetration Testing | Bengaluru | Cyber Strategy & Transformation

Job requisition ID ::  99890
Date:  Mar 9, 2026
Location:  Bengaluru
Designation:  Assistant Manager
Entity:  Deloitte Touche Tohmatsu India LLP

Your potential, unleashed.

 India’s impact on the global economy has increased at an exponential rate and Deloitte presents an opportunity to unleash and realize your potential amongst cutting edge leaders, and organisations shaping the future of the region, and indeed, the world beyond.

At Deloitte, your whole self to work, every day. Combine that with our drive to propel with purpose and you have the perfect playground to collaborate, innovate, grow, and make an impact that matters.

 

The team

Technology & Transformation - Cyber: Cyber Strategy & Transf. Our Cyber Strategy team helps organizations build cybersecurity programs aligned with their strategic goals and risk appetite. We foster a collaborative culture that encourages innovation and delivers tailored solutions. Our vision is to provide proactive risk management and strategic insights to enhance business resilience 

 

Your work profile

 

We are seeking an Assistant Manager with 3–5 years of hands-on experience in Penetration Testing and Application Security to lead and deliver security assessments across web, mobile, APIs, and cloud-native applications. The ideal candidate combines strong technical expertise with delivery ownership, junior team mentoring, and clear, executive-ready reporting. You will collaborate closely with engineering, product, DevOps, and risk/compliance teams to scale secure-by-design practices and continuous assurance. 

Desired qualifications and Education

 

  • 3–5 years of relevant experience in penetration testing and application security with demonstrable hands-on delivery.
  • Any Graduation Degree.
  • Strong knowledge of OWASP Top 10 (Web/API/Mobile), ASVS/MASVS, common CVE/CWE classes, and vulnerability exploitation techniques.
  • Proficiency with tools and ecosystems such as:
  • Web/API: Burp Suite Pro (extensions), ZAP, Postman, REST/GraphQL testing.
  • Mobile: Frida, Objection, jadx, MobSF, mitmproxy/Charles, platform debuggers.
  • Cloud/Containers/IaC: Docker/K8s basics, tfsec/checkov, kube-bench/kube-hunter (nice to have).
  • Code & DevSecOps: Git, common CI (Azure DevOps, GitLab CI, Jenkins/GitHub Actions), SAST/DAST/SCA/Secrets scanners.
  • Practical experience with authN/authZ patterns (JWT/OAuth2/OIDC), session management, cryptography basics, and API security (incl. rate-limits, abuse prevention).
  • Ability to write PoCs, craft payloads, and clearly document reproduction and fix guidance.
  • Excellent report writing and presentation skills; able to translate technical risk into business impact.

 

1) Penetration Testing (Hands-on Delivery)

  • Plan, scope, and execute web, mobile, API, thick client, and cloud (IaC/container) penetration tests, including authenticated/role-based testing.
  • Perform manual exploitation and validate findings beyond automated tool output; confirm impact, likelihood, and business context.
  • Conduct secure code reviews (select modules) and assess common web/mobile pitfalls (auth/session, access control, input validation, crypto, secrets, SSRF/XXE/IDOR, RCE, deserialization, jailbreak/root detection bypass, etc.).
  • Execute red-team style engagements or focused attack simulations (credential stuffing, phishing payload evaluation, lateral movement in app tiers) as applicable.
  • Re-test fixes, verify remediation quality, and provide developer-ready reproduction steps and fix guidance.

2) Application Security (AppSec & DevSecOps)

  • Embed and scale SSDLC controls (requirements, threat modeling, design reviews, SAST/DAST/SCA gating, pre‑prod security sign‑off).
  • Integrate and tune CI/CD security tooling (e.g., SAST/DAST/SCA/Secrets/IaC scanners), define break/fix thresholds, and triage security build failures with engineering.
  • Run threat modeling workshops (e.g., STRIDE) and support security architecture advisories (OAuth/OIDC, session mgmt, token handling, zero trust patterns).
  • Define and maintain secure coding standards and developer enablement (cheat sheets, brown-bags, fix clinics).
  • Partner with product and platform teams on security-by-design for APIs, microservices, cloud services, and event-driven systems.

3) Governance, Risk & Compliance (Delivery Ownership)

  • Produce clear, risk-ranked reports (exec summary + technical details), metrics, and remediation trackers; present to technical stakeholders and senior leadership.
  • Align work with relevant frameworks/standards: OWASP ASVS/MASVS, OWASP Testing Guide, ISO/IEC 27001, PCI DSS (where applicable), and internal policies.
  • Manage SoW scope, timelines, resource plans; ensure ethical testing practices, data protection, and legal approvals are in place prior to testing.

4) Stakeholder Management & Mentoring

  • Serve as day-to-day point of contact for engagements; provide status updates, risk communication, and expectation management.
  • Mentor junior analysts on methodology, manual validation, reporting quality, and professional conduct.
  • Collaborate with Cloud, DevOps, Architecture, and Product teams to prioritize and drive remediation to closure.

Preferred Certifications (Nice to Have)

  • OSCP/OSWE/OSEP, CRTP/CRTE, eWPT/eWPTX, GWAPT, GMOB, CEH Practical.
  • Secure coding or cloud security certifications: CCSP, AZ-500, AWS Security Specialty, GCP Professional Cloud Security

 

Location and way of working

  • Base location: Hyderabad
  • This profile involves frequent travelling to client locations.
  • Hybrid is our default way of working. Each domain has customized the hybrid approach to their unique needs.

 

How you’ll grow

 

Connect for impact

 

Our exceptional team of professionals across the globe are solving some of the world’s most complex business problems, as well as directly supporting our communities, the planet, and each other. Know more in our Global Impact Report and our India Impact Report.

 

Empower to lead

 

You can be a leader irrespective of your career level. Our colleagues are characterised by their ability to inspire, support, and provide opportunities for people to deliver their best and grow both as professionals and human beings. Know more about Deloitte and our One Young World partnership.

 

Inclusion for all

 

At Deloitte, people are valued and respected for who they are and are trusted to add value to their clients, teams and communities in a way that reflects their own unique capabilities. Know more about everyday steps that you can take to be more inclusive. At Deloitte, we believe in the unique skills, attitude and potential each and every one of us brings to the table to make an impact that matters.

 

Drive your career

 

At Deloitte, you are encouraged to take ownership of your career. We recognise there is no one size fits all career path, and global, cross-business mobility and up / re-skilling are all within the range of possibilities to shape a unique and fulfilling career. Know more about Life at Deloitte.

 

 

Apply now »