Lead Offensive Security Engineers

  • Colombo, Sri Lanka
  • Full-Time
  • On-Site
Apply now Refer
Job Description:
  • Lead and manage offensive security activities including vulnerability assessments, penetration testing, and red team exercises.
  • Plan, coordinate, and execute security assessments for networks, applications,
    APIs, cloud platforms, endpoints, and infrastructure. 
  • Conduct adversarial simulations to validate the effectiveness of security controls,
    SOC monitoring, and incident response capabilities.
  • Identify, validate, prioritize, and report security vulnerabilities with clear remediation recommendations.
  • Perform advanced penetration testing including web, mobile, API, Active Directory, cloud, wireless, and container/Kubernetes environments.
  • Develop and maintain automated security assessment and validation capabilities
    integrated with CI/CD and DevSecOps processes.
  • Execute phishing simulations, privilege escalation testing, lateral movement
    testing, and threat emulation exercises aligned with real-world attack techniques.
  • Utilize and manage offensive security tools, frameworks, and platforms for
    continuous security validation and attack surface assessment.
  • Map security testing activities to frameworks such as MITRE ATT&CK, NIST, PCI
    DSS, ISO 27001, SWIFT CSP, and regulatory TRM requirements.
  • Collaborate with SOC, infrastructure, application, cloud, and DevOps teams to
    improve detection, response, and remediation capabilities.
  • Prepare technical and executive-level assessment reports for management, audit, and regulatory stakeholders.
  • Validate remediation effectiveness through re-testing and continuous monitoring
    activities.
  • Develop offensive security methodologies, standards, procedures, and testing
    playbooks.
  • Stay updated on emerging cyber threats, attack techniques, vulnerabilities, and
    security technologies.

Requirements

  • Minimum 3+ years of experience in cybersecurity, including at least 1+ year in
    technical leadership or senior engineering role.
  • Bachelor's degree in Information Security, Computer Science, Engineering, or a related discipline from a recognized university.
  • Industry-recognized certifications such as CISSP, CISM, OSCP, CEH, or equivalent qualifications (preferred).
  • Proven expertise in penetration testing, red team operations, and adversary emulation, covering enterprise environments (networks, applications, APIs, cloud, and Active Directory).
  • Strong hands-on experience in security architecture assessment, vulnerability analysis, risk prioritization, and exploitation techniques.
  • Experience with enterprise security technologies and detection controls, including SIEM, EDR/XDR, IDS/IPS, Firewalls, WAF, SOAR, and threat detection platforms.
  • Strong knowledge of DevSecOps practices, secure software development lifecycle (SSDLC), and application security testing tools and methodologies (SAST, DAST, SCA, and API security testing).
  • Strong understanding of MITRE ATT&CK framework, attack lifecycle modeling, and threat-informed security validation approaches.
  • Proficiency in scripting and automation using Python, PowerShell, Bash, or similar languages for offensive security tooling and security process automation.
  • Good understanding of zero-trust architecture, micro-segmentation, and software-defined security controls.
  • Strong leadership and stakeholder management abilities
  • Excellent analytical and problem-solving skills
  • Ability to work under pressure and manage security incidents effectively