3+ Penetration testing Jobs in Delhi, NCR and Gurgaon | Penetration testing Job openings in Delhi, NCR and Gurgaon
Apply to 3+ Penetration testing Jobs in Delhi, NCR and Gurgaon on CutShort.io. Explore the latest Penetration testing Job opportunities across top companies like Google, Amazon & Adobe.
About the Role
We are seeking an experienced Cyber Security Specialist who can operate across both offensive and defensive security disciplines. This dual-role professional will lead Vulnerability Assessment and Penetration Testing (VAPT) engagements, act as the in-house Red Team to simulate real-world adversaries, and own the implementation and continuous improvement of the Information Security Management System (ISMS) aligned with ISO/IEC 27001 and related standards. You will combine hands-on offensive security work with governance, audit readiness, and stakeholder engagement across engineering, IT, legal, and executive leadership.
Key Responsibilities
VAPT & Red Team Operations
- Plan, scope, and execute end-to-end Vulnerability Assessment and Penetration Testing (VAPT) engagements across web applications, mobile apps, APIs, networks, cloud environments, wireless, and physical infrastructure.
- Act as the organization's in-house Red Team, simulating advanced persistent threat (APT) actors through adversary emulation, social engineering, phishing campaigns, and physical intrusion testing where authorized.
- Design and execute Red Team operations aligned with MITRE ATT&CK, TIBER-EU, and similar frameworks; develop custom Tactics, Techniques, and Procedures (TTPs).
- Conduct manual and automated exploitation, post-exploitation, lateral movement, privilege escalation, and persistence testing in production-like environments.
- Develop custom exploits, payloads, scripts, and tooling (Python, PowerShell, Bash, C/C++, Go) to bypass security controls during sanctioned engagements.
- Perform source code reviews, threat modeling, and secure architecture reviews of new and existing systems.
- Coordinate Purple Team exercises with the Blue Team / SOC to validate detection coverage and improve defensive playbooks.
- Produce high-quality VAPT and Red Team reports with executive summaries, technical findings, proof-of-concept exploits, risk ratings (CVSS), and prioritized remediation guidance.
- Re-test remediated findings and track closure with engineering and IT teams through to verification.
ISO Compliance & Governance
- Lead the implementation, maintenance, and continual improvement of the ISMS in line with ISO/IEC 27001:2022, including scope definition, Statement of Applicability (SoA), and risk treatment plans.
- Own and maintain ISO policies, procedures, controls, and documentation across the organization, ensuring alignment with ISO 27001, ISO 27017, ISO 27018, and ISO 22301.
- Plan and coordinate internal and external audits; serve as the primary liaison with certification bodies, auditors, and regulators.
- Conduct risk assessments, business impact analyses (BIA), and threat modeling; maintain a central risk register and drive remediation.
- Map VAPT and Red Team findings to ISO 27001 Annex A controls and feed results into the risk management lifecycle.
- Support compliance with adjacent frameworks: SOC 2, NIST CSF, GDPR, HIPAA, PCI-DSS, and DPDP Act (India), as applicable.
- Define and report security and compliance KPIs/KRIs to senior leadership; prepare materials for management reviews and board updates.
- Develop and deliver security awareness training, phishing simulations, and role-based secure-coding training.
- Drive third-party / vendor risk management, including security questionnaires, contractual clauses, and ongoing monitoring.
- Partner with engineering and DevOps to embed security into the SDLC, CI/CD pipelines, and cloud architectures (DevSecOps).
Incident Response & Continuous Improvement
- Support incident response activities: detection, triage, containment, eradication, recovery, and post-incident reviews.
- Maintain business continuity and disaster recovery plans; coordinate BCP/DR testing and tabletop exercises.
- Stay current on emerging threats, CVEs, attacker techniques, regulatory changes, and ISO standard updates; recommend and drive improvements.
Required Qualifications
- 8+ years of progressive experience in cyber security, with at least 4 years in hands-on offensive security (VAPT, penetration testing, or Red Team) and 3+ years in ISO 27001 implementation and audits.
- Proven track record of leading VAPT engagements across web, mobile, API, network, cloud (AWS / Azure / GCP), and wireless environments.
- Hands-on experience executing Red Team operations and adversary emulation aligned with MITRE ATT&CK.
- Deep proficiency with offensive security tooling: Burp Suite Pro, Metasploit, Cobalt Strike (or open-source equivalents like Sliver, Mythic, Havoc), Nmap, Nessus, Nuclei, BloodHound, Impacket, Responder, and OWASP ZAP.
- Strong scripting and exploit development skills in Python, PowerShell, Bash, and at least one compiled language (C/C++, Go, or Rust).
- Proven hands-on experience leading an organization through ISO 27001 certification and surveillance audits end-to-end.
- Strong working knowledge of ISO/IEC 27001:2022 (including Annex A controls), ISO 27002, ISO 27017, ISO 27018, and ISO 22301.
- Solid understanding of security domains: IAM, network security, endpoint security, cloud security, application security (OWASP Top 10, API Security Top 10), and Active Directory attack paths.
- Experience with risk assessment methodologies (ISO 27005, NIST 800-30) and the ability to translate offensive findings into business risk.
- Strong report-writing, policy-drafting, and executive communication skills.
- Bachelor's degree in Computer Science, Information Security, Engineering, or a related field (or equivalent experience).
Preferred Qualifications
- Offensive security certifications: OSCP, OSEP, OSWE, OSED, CRTO, CRTP, CRTE, CRTL, GPEN, GXPN, GWAPT, or CEH Practical.
- Governance certifications: ISO 27001 Lead Implementer and/or Lead Auditor, CISSP, CISM, CISA, or CRISC.
- Cloud security certifications (CCSP, AWS Security Specialty, Azure Security Engineer, or GCP Professional Cloud Security Engineer).
- Published CVEs, security research, bug bounty achievements, or contributions to open-source security tools.
- Experience with Active Directory / Entra ID red teaming, Kerberos attacks, and modern EDR/XDR evasion techniques.
- Experience with container, Kubernetes, and serverless security testing.
- Experience implementing or auditing additional frameworks: SOC 2 Type II, NIST CSF, NIST 800-53, HITRUST, or PCI-DSS.
- Experience with GRC platforms (Vanta, Drata, Sprinto, ServiceNow GRC, Archer, OneTrust).
- Experience in regulated industries: financial services, healthcare, SaaS, or critical infrastructure.
- Experience briefing executive leadership, customers, and external auditors on offensive findings and remediation strategy.
Amazon Web Services (AWS)About The Company -
OYO Hotels & Homes is the world’s third largest and fastest-growing chain of leased and franchised hotels, homes & spaces managing over 1 million exclusive rooms across 800 cities and 80 countries. OYO was founded on the mission that everyone deserves a quality living and working space and we are very passionate about this mission. Technology and Innovation plays a critical role in this mission and therefore today we employ World Class engineers, product managers and designers across core markets & geographies. If you are looking for a high pace environment, itching to create a large impact through technology impacting 100s of millions of customers across the globe, we love to hear from you.
Key Responsibilities:
- Conducting application(Web & Mobile) and infrastructure penetration testing assessments.
- Deploy, improve and utilize SAST/DAST/SCA and other cybersecurity solutions to detect & prevent security vulnerabilities.
- Work closely with the business, product and Development/engineering teams to provide input and guidance on developing secure products and help teams adopt shift-security-to-left practices.
- Work closely with the DevOps team to secure the cloud environment.
- Developing and maintaining cybersecurity process activities including security requirements engineering, threat modelling, code reviews and cyber risk assessment.
- Improve and automate cybersecurity processes within the CI/CD pipelines.
- Continuously review and identify security improvement opportunities in existing products, processes, services and workflows to ensure the people, products and technology in the organization are protected against current and future cybersecurity threats.
- Deliver awareness sessions on Secure Development to engineering/development teams
- Drive continuous improvement activities to define, measure, visualize and improve key cyber security metrics related to Application Security.
- Preparing and launching social engineering campaigns;
Key Skills:
- Expertise in application(Web & Mobile) and infrastructure penetration testing.
- Strong experience with Azure or AWS cloud environments and its security controls.
- Experience with microservices architectures & distributed Platforms
- Strong experience with using Agile software development and securing CI/CD pipeline.
- Coding Experience in Scripting & programming languages (such as Terraform, Java, Python, Ruby, etc.)
- Knowledge of how modern web & mobile apps are designed, developed and deployed across different platforms;
- Knowledge of common exploitation techniques and mitigations.
- Experience in implementing and managing a vulnerability management program (process and technology).
- Experience and knowledge of implementing a DevSecOps ecosystem and strong understanding of Dynamic and Static Application Security Testing (DAST & SAST).
- Understanding of the main cybersecurity tools (SIEM, IPS, XDR, etc.).
- Strong understanding of OWASP, PTES and other penetration testing methodologies.
- Understanding of global security frameworks and standards like NIST, ISO 27001, GDPR, PCI etc.
- Strong knowledge in preparing and launching social engineering campaigns.
- Ability to program or script in your preferred language
- Good understanding of network and OS principles
- Strong written and spoken English skills and ability to write high-quality reports
- An Information Security qualification e.g CSSLP, CEH, OSCP, or similar certification
Cultural Traits common to all OYO Leaders -
● Dealing with Ambiguity and Adaptability – we are a large, but fast-growing company today with not enough existing process or rules of engagements; and environment changes rapidly due to new businesses, geographies and strategic partnerships etc. You need to be able to create organization out of chaos, operate in an environment with minimal structure and adapt to change quickly while maintaining high velocity
● Ownership – anything between you and your job is also your job
● Bias for Action – speed matters a lot, so does quality. Ideal leader will be pragmatic, action-oriented and know the right balance between competing priorities
● Hunger to change the world – you need to be ambitious and willing to do more. If you believe you have already achieved your best and primarily looking to impart that vast knowledge, we aren’t the right place for you
Job Locations: We have a Pan India presence with Tech centers based out of Gurugram, Bangalore & Hyderabad. However currently we are working from our home.
Follow Cutshort