VAPT - Cybersecurity Vulnerability Assessment Manager

Role Overview

Key Responsibilities

• Own and lead the Offensive Security & VAPT function, including service line P&L, strategic delivery roadmap, team management, and client satisfaction
• Architect and oversee enterprise-scale VAPT and red team engagements, driving delivery excellence across infrastructure, applications, APIs, mobile, and cloud environments
• Engage directly with senior client stakeholders (CISOs, CTOs, Risk Leaders) to translate business risk into actionable technical assessments and recommend mitigation strategies
• Define testing frameworks and reusable methodologies to standardize and elevate delivery across projects, including red teaming, threat emulation, and advanced attack simulations
• Direct a high-performing offensive security team, including Red Teamers, AppSec specialists, and security testers, ensuring their continuous development and engagement
• Lead strategic threat modeling and secure design reviews in collaboration with clients' architecture and engineering teams, integrating security into early lifecycle stages
• Govern quality of deliverables, including technical findings, risk summaries, and executive-ready reports, ensuring alignment with business impact and remediation feasibility
• Drive operational excellence across testing engagements, ensuring timelines, SLAs, and KPIs (eg, MTTR, false positive rate, TTP coverage) are consistently met or exceeded
• Spearhead R&D initiatives to evaluate emerging threats, tools, and offensive capabilities relevant to client environments and evolving attack surfaces
• Collaborate with cross-functional internal teams (MXDR, GRC, Incident Response, Product) to align offensive security outputs with broader risk and advisory services
• Represent NopalCyber at industry forums, client executive reviews, and security advisory boards as a trusted expert in offensive cybersecurity

Required Qualifications

• Bachelor's degree in Engineering, Computer Science, or a related field; a Masters is preferred
• 18 years of experience in cybersecurity with at least 5 years in leadership roles across VAPT, Red Team, or Application Security domains
• Demonstrated experience managing technical delivery and strategic outcomes for multiple clients or large-scale programs

Preferred Certifications

Desired Skills

• In-depth understanding of modern attack vectors, OWASP Top 10, MITRE ATT&CK, and real-world exploitation techniques
• Strong command of tools such as Burp Suite Pro, Cobalt Strike, Metasploit, Nmap, Kali Linux, AppDetective, and WebInspect
• Proficiency in cloud security testing across AWS, Azure, or GCP; experience with containerized and microservices-based environments
• Hands-on exposure to reviewing or attacking applications built using C++, Java, Python, Go, JavaScript, and working within Kubernetes or CI/CD pipelines
• Capability to present complex technical findings in clear, business-relevant language to executive stakeholders