Manager - Penetration Testing

The role is responsible for simulating real-world cyberattacks to identify vulnerabilities in the company's applications, systems, networks, and infrastructure. This role ensures proactive detection of security weaknesses before they can be exploited by adversaries, supports compliance with regulatory and industry requirements, and contributes to strengthening the company's overall cybersecurity posture.

Responsibilities

• Plan, scope, and conduct penetration tests on applications, networks, APIs, and infrastructure.
• Perform vulnerability assessments and exploit identified weaknesses to demonstrate risk exposure.
• Develop and execute threat scenarios including web, mobile, cloud, and social engineering attacks.
• Conduct red-team and adversary simulation exercises, including advanced persistent threat (APT) tactics.
• Identify, document, and prioritize findings, providing detailed remediation guidance to relevant teams.
• Work closely with developers, system administrators, and security engineers to remediate findings.
• Conduct security testing on new applications, products, and systems prior to go-live.
• Stay current with emerging threats, vulnerabilities, and attack techniques.
• Develop proof-of-concept exploits to demonstrate practical risks of identified vulnerabilities.
• Ensure penetration testing activities comply with applicable regulations (e.g., SAMA CSF, NCA ECC/DCC/CCC, PCI DSS, ISO 27001, NIST).
• Support awareness by sharing threat insights and lessons learned with internal stakeholders.
• Contribute to improving security standards, policies, and secure development practices.
• Perform any other duties assigned by line manager related to the nature of the work.
• Enforce, incorporate, and comply with all necessary controls and related information security policies, procedures, practices, training, reporting, personal due diligence, and vigilance, within departmental/unit activities and operations.

Requirements

• A tertiary level qualification from a recognized institution.
• Industry-recognized certifications in Offensive Security or SANS or other relevant certifications preferred.
• 3 to 5 years of professional experience in penetration testing, ethical hacking, or red teaming.
• Hands-on experience with penetration testing tools and frameworks (e.g., Burp Suite, Metasploit, Cobalt Strike, Nmap, Kali Linux, Wireshark, BloodHound).
• Proven track record in identifying, exploiting, and reporting vulnerabilities across different environments (web, mobile, infrastructure, cloud, APIs).
• Strong knowledge of network protocols, operating systems (Windows, Linux), web technologies, and cloud platforms.
• Understanding of threat modelling, kill chain analysis, and MITRE ATT&CK framework.
• Ability to write and customize scripts/exploits in languages such as Python, PowerShell, Bash, or JavaScript.
• Familiarity with secure coding practices and common vulnerabilities (e.g., OWASP Top 10, SANS CWE Top 25).
• Excellent communication, problem-solving, attention to detail, and analytical thinking skills.