Digital Risk- Application & Offensive Security Senior

Job purpose:

Senior in the Risk Advisory team to work on Application Security and Offensive Security engagements for our customers across the globe.

You will be responsible for delivering secure application and adversarial testing engagements in accordance with EY quality guidelines & methodologies. You will be expected to execute and coordinate engagement activities on a day-to-day basis and proactively support the identification of new opportunities in application and offensive security domains.

You will work closely with development, DevOps, and security teams to embed secure-by-design practices and validate application security through real-world attack simulations using a Glasswing-aligned adversarial approach. You will assist in developing new methodologies, strengthen secure engineering practices, and contribute to creating a strong learning culture by mentoring junior team members.

In line with EYs commitment to quality, you will confirm that work is of the highest quality by reviewing outputs from junior members.

Your client responsibilities:

• Perform Secure SDLC reviews and provide actionable recommendations across application environments
• Conduct and support bug bounty programs and vulnerability validation activities
• Execute adversarial testing and attack simulation exercises using real-world attack scenarios (Glasswing-aligned approach)
• Identify exploitable vulnerabilities and validate them from an attackers perspective
• Support threat modeling and secure architecture reviews for applications
• Maintain relationships with client stakeholders across development, DevOps, and security teams
• Demonstrate understanding of modern application architectures (APIs, microservices, cloud-native systems)
• Support secure design and DevSecOps integration across the application lifecycle
• Assist Managers in business development, proposal creation, and solutioning
• Contribute to development of methodologies, frameworks, and thought leadership
• Facilitate knowledge sharing sessions and discussions with client teams
• Provide regular status updates on engagements and deliverables
• Stay updated on emerging application security threats, vulnerabilities, and attack techniques

Your people responsibilities:

• Work collaboratively with team members to deliver high-quality outputs within timelines
• Mentor and train junior resources on secure coding, testing, and adversarial thinking
• Drive adherence to quality standards and methodologies
• Participate in internal capability development and knowledge sharing initiatives
• Support performance management of team members

Mandatory skills:

• Strong understanding of Secure SDLC and DevSecOps practices
• Experience in application security testing (SAST, DAST, API testing, manual testing)
• Strong knowledge of OWASP Top 10 and web application vulnerabilities
• Experience in bug bounty programs and vulnerability validation
• Understanding of adversarial testing and attack simulation approaches (Glasswing-aligned)
• Knowledge of API security (OAuth2, OIDC, mTLS)
• Experience in threat modeling techniques
• Familiarity with modern application architectures (cloud, microservices, containers)
• Strong understanding of web protocols and technologies
• Knowledge of CI/CD pipelines and secure engineering practices
• Certifications such as CEH, OSCP, GWAPT or equivalent preferred
• BE/BTech/MCA with 48 years of relevant experience

Preferred skills:

• Exposure to cloud security (AWS/Azure/GCP)
• Experience working in Agile/DevOps environments
• Prior client-facing or consulting experience