Security Tester

Paramount Assure

Security Tester AI-Native Application Security & VAPT Team: Security Engineering Location: Hybrid (India-Coimbatore) Employment type: Full-time Experience: 2.5+ years Reports to: Security Engineering Lead
Why This Role Exists

Most security testers were trained to break software that behaves the same way every time you poke it. That world is gone. We build AI-native applications — LLM-backed products, RAG pipelines, and autonomous agents that reason, call tools, and make decisions on their own. These systems fail in ways a classic scanner will never catch: a politely worded sentence can override a system prompt, a poisoned document can hijack an agent mid-task, and a “helpful” tool call can quietly exfiltrate data We’re looking for a Security Tester who is equally comfortable running a full VAPT engagement against a web app or cloud stack and red-teaming a model that talks back. You’ll be the person who thinks like an attacker in a world where the target can be convinced, not just exploited
What You’ll Actually Do
    • Own end-to-end VAPT engagements across web apps, REST/GraphQL APIs, cloud infrastructure, and internal networks — from scoping and threat modelling to exploitation, reporting, and retesting.
    • Red-team AI-native applications: prompt injection (direct and indirect), jailbreaks, system-prompt leakage, insecure output handling, RAG poisoning, training-data extraction, model denial-of-service, and excessive-agency abuse in agentic systems.
    • Break agents and their tool-chains: test tool/function-calling boundaries, MCP (Model Context Protocol) server exposure, sandbox escapes, and privilege escalation through chained tool calls.
    • Map findings to real frameworks — OWASP Top 10, OWASP LLM Top 10, OWASP Agentic Security (ASI), MITRE ATT&CK, and MITRE ATLAS — so remediation is grounded, not hand-wavy.
    • Score and prioritize vulnerabilities using CVSS, with clear, reproducible proof-of-concept and business-impact context that both engineers and leadership can act on.
    • Write reports people read: crisp, developer-friendly write-ups with reproduction steps, evidence, and pragmatic remediation guidance — not a wall of scanner output.
    • Shift security left: help embed automated security testing (SAST, SCA, DAST, secret scanning, IaC scanning, LLM red-team checks) into CI/CD pipelines and PR gates.
    • Retest and verify fixes, track remediation to closure, and partner with engineering to make the fix stick.
    • Stay ahead of the curve — track emerging AI attack techniques and feed new test cases back into our internal red-team playbooks.

What We Need From You (Must-Haves)
    • 2.5+ years of hands-on offensive security / penetration testing experience.
    • Demonstrated experience with the full VAPT lifecycle for web, API, and cloud targets — you can scope, exploit, and communicate, not just run a tool.
    • Strong grasp of the OWASP Top 10 and common web/API vulnerability classes (authn/authz flaws, injection, SSRF, IDOR, deserialization, misconfigurations).
    • Working knowledge of LLM and AI application attack surfaces — prompt injection, jailbreaks, insecure output handling, and the OWASP LLM Top 10 — or a clear, provable appetite to go deep here fast.
    • Hands-on with core offensive tooling: Burp Suite, OWASP ZAP, Nmap, Nuclei, Metasploit, sqlmap, and similar.
    • Comfortable in at least one scripting language (Python strongly preferred) to build custom exploits, harnesses, and automation.
    • Solid understanding of web protocols, authentication/authorization (OAuth 2.0 / OIDC, JWT, session management) and how they break.
    • Familiarity with cloud security fundamentals (AWS, Azure, or GCP) and containerized environments (Docker, Kubernetes).
    • Ability to write clear, prioritized, reproducible reports and explain risk to both engineers and non-technical stakeholders.
What Will Make You Stand Out (Nice-to-Haves)
    • Hands-on experience with LLM/agent red-teaming frameworks: Garak, PyRIT, DeepTeam, promptfoo, or Microsoft’s AI Red Teaming Agent.
    • Experience with AI guardrail / defense tooling: Lakera Guard, Rebuff, Llama Prompt Guard, or custom prompt-injection classifiers.
    • Familiarity with MCP security and agent-sandboxing concepts (MCP Scan, tool-permission boundaries, isolation).
    • Exposure to RAG pipeline security, vector-store poisoning, and multi-agent orchestration risks.
    • Knowledge of MITRE ATLAS and the NIST AI Risk Management Framework (AI RMF).
    • Experience integrating security testing into CI/CD (GitHub Actions, GitLab CI) and policy-as-code gating (OPA / Rego).
    • Cloud-native security experience with Kubernetes (RBAC, network policies, admission control).
    • Bug-bounty track record, CTF wins, published research, or CVEs to your name.

Certifications (A Plus, Not a Gate)
OSCP, OSWE, eWPT/eWPTX, GPEN, GWAPT, CEH, or AI-security-specific credentials. We care more about what you can break than what’s on paper.

How to apply

To apply for this job you need to authorize on our website. If you don't have an account yet, please register.