VAPT Manager | Mumbai

Position Details

Role Overview

We are seeking an experienced and dynamic VAPT Manager to lead end-to-end vulnerability assessment and penetration testing engagements across web, mobile, API, network, cloud, and infrastructure environments. The ideal candidate combines deep technical expertise with exceptional client management skills, an AI-first mindset, and the operational rigour to manage a 24×7×365 delivery team.

Key Responsibilities

Engagement Management

• Lead and manage end-to-end VAPT engagements across Web, Mobile, API, Network, Cloud, and Infrastructure domains.
• Ensure all assessments are aligned with OWASP, SANS, NIST, and PCI DSS standards and consistently produce high-quality deliverables.
• Write clear, unambiguous Statements of Work (SOWs) with zero grey areas and manage scope throughout the engagement lifecycle.
• Identify process gaps proactively and implement systematic improvements across delivery workflows.
• Manage and mentor a 24×7×365 VAPT team, ensuring capacity planning, skill development, and quality assurance.

Client Communication & Relationship Management

• Document all client discussions accurately via email and chat. Every commitment, decision, and action item must be captured without omission.
• Conduct rigorous follow-ups with customers and proactively convey problems clearly, politely, and factually without embellishment or delay.
• Identify the real client decision-maker (Point of Contact) and build strong relationships that reduce their operational burden while demonstrating ControlCase’s added value.
• Escalate appropriately and communicate effectively up to CISO and CTO level when required.
• Anticipate client questions, objections, and cross-examination points by thinking 10 steps ahead and prepare the team accordingly before engagements progress.

Operational Excellence & SLA Management

• Define, document, and enforce SLAs, response frequencies, and follow-up protocols through ticket management systems or structured Excel trackers where formal systems are unavailable.
• Maintain a daily request tracker and analyse trends including request volumes, types, duplicates, noise (no-action entries), and resource capacity requirements by activity type.
• Monitor and report daily, weekly, and monthly KPIs using trend analysis tools such as Power BI and Excel.
• Analyse monthly vulnerability and configuration assessment scan results with trend breakdowns by IP, operating system, vulnerability type, configuration findings, and related metrics.

Technical Delivery & Reporting

• Perform and oversee comprehensive security testing using industry-standard tools including Burp Suite, Nessus, Nmap, Metasploit, and OWASP ZAP.
• Deep dive into raw vulnerability assessment results, conduct thorough research, contextualise findings, and distil them into impactful executive-level presentations for client senior management.
• Leverage the full Microsoft 365 ecosystem including Word, Excel, PowerPoint, Teams, and SharePoint, along with AI tools such as GitHub Copilot and Microsoft Copilot to accelerate output quality and reporting speed.
• Review and validate vulnerability reports to ensure accuracy, completeness, and actionable remediation guidance.
• Support automation initiatives and drive tool integrations that improve efficiency and reduce manual effort.

AI-First Approach

• Champion an AI-first working philosophy across the VAPT team by actively identifying opportunities to embed AI tools into assessment workflows, reporting, and client communications.
• Contribute to AI-driven enhancements in VAPT processes, including intelligent triage, automated evidence analysis, and AI-assisted report generation.
• Stay current with advancements in AI tools relevant to cybersecurity and proactively evaluate their applicability to ControlCase’s service delivery model.

Technical Skills & Knowledge

Core Testing Domains

• Web Application Security Testing (OWASP Top 10, SANS Top 25)
• API Security Testing (REST, SOAP, GraphQL)
• Mobile Security Testing (iOS and Android)
• Network and Infrastructure Penetration Testing
• Cloud Security Assessment (AWS, Azure, GCP fundamentals and configuration review)

Tools

• Exploitation & Scanning: Burp Suite Pro, OWASP ZAP, Metasploit Framework
• Vulnerability Assessment: Nessus / Tenable.io, Nmap, OpenVAS
• Reporting & Analytics: Microsoft Power BI, advanced Excel, Microsoft 365 Suite
• AI & Productivity: Microsoft Copilot, GitHub Copilot, and equivalent AI tools

Standards & Frameworks

• OWASP Testing Guide and OWASP Top 10
• SANS Top 25 / CWE
• NIST SP 800-115 (Technical Guide to Information Security Testing)
• PCI DSS v4.0.1 Penetration Testing Requirements

Scripting & Automation

• Python scripting for test automation, data parsing, and workflow tooling.
• API interaction and automation using REST and JSON.

Qualifications & Certifications

Education

• Bachelor’s degree in Computer Science, Information Technology, Engineering, or a related field.

Certifications (Required / Preferred)