Lead Penetration Tester

JOB DESCRIPTION

Hands-on Penetration Testing
Perform authorized penetration testing for web applications, mobile applications, APIs, infrastructure, cloud environments, and digital platforms.
Identify, validate, exploit where appropriate, and document security vulnerabilities, including authentication, authorization, session management, input validation, encryption, access control, and business logic issues.
Conduct security assessments based on industry standards such as OWASP Top 10, OWASP API Security Top 10, OWASP Mobile Security Testing Guide, and relevant security practices.
Analyze application flows, user journeys, transaction processes, access controls, and data handling mechanisms to identify potential security risks.
Perform vulnerability assessment and manual verification to reduce false positives and confirm actual exploitability in authorized environments.
Conduct retesting activities to validate remediation effectiveness and ensure vulnerabilities are properly resolved.
Support security testing activities within the SDLC, including security requirement review, threat analysis, test planning, and release security validation.
Stay updated with emerging cyber threats, attack techniques, security risks, and security testing best practices.
Technical Leadership & Delivery Support
Lead the planning, scoping, and execution of penetration testing activities across assigned projects or workstreams.
Define penetration testing approach, test strategy, testing scope, priorities, timelines, and required evidence based on project and client requirements.
Guide and mentor penetration testers or security engineers in testing methodology, vulnerability validation, reporting quality, and remediation discussions.
Review vulnerability findings, risk ratings, evidence, and remediation recommendations to ensure accuracy, consistency, and practical value.
Act as the main technical point of contact for penetration testing activities, working with client stakeholders, security teams, development teams, DevOps, infrastructure teams, and compliance teams.
Facilitate vulnerability walkthroughs, risk clarification sessions, remediation discussions, and retesting alignment with relevant stakeholders.
Support estimation, planning, status tracking, issue escalation, and delivery reporting for security testing activities.
Contribute to improving security testing processes, reporting templates, testing checklists, knowledge sharing, and reusable testing practices.
Support regulatory, audit, and compliance requirements by providing security testing evidence, reports, remediation status, and technical clarification when needed.

JOB REQUIREMENT

Strong hands-on experience in penetration testing, vulnerability assessment, ethical hacking, and security testing across application, API, mobile, network, and cloud environments.
Proven experience leading or coordinating penetration testing activities, including test planning, execution tracking, finding review, stakeholder communication, and retesting coordination.
Strong knowledge of web and API security vulnerabilities, including OWASP Top 10, API authentication, authorization, token handling, insecure direct object references, injection, broken access control, and business logic flaws.
Experience testing iOS and Android applications, including mobile application security controls, local storage, certificate pinning, authentication, session handling, and secure communication.
Experience in assessing network services, servers, operating systems, misconfigurations, access controls, and common infrastructure vulnerabilities.
Familiarity with cloud security concepts and security testing considerations for AWS, Azure, or GCP environments.
Hands-on experience with tools such as Burp Suite, OWASP ZAP, Nmap, Nessus, Metasploit, Wireshark, Postman, MobSF, or equivalent security testing tools.
Ability to independently validate vulnerabilities, assess exploitability, determine business impact, and provide clear remediation recommendations.
Ability to write and review clear security reports, including vulnerability details, risk ratings, technical evidence, business impact, and remediation guidance.
Ability to explain technical findings to both technical and non-technical stakeholders in a clear, structured, and practical manner.
Ability to work with engineering teams to clarify root causes, support fix implementation, and perform retesting.
Good understanding of secure coding principles, data privacy, encryption, identity and access management, and common security frameworks.
Understanding of security requirements in regulated, audit, or compliance-driven environments.
Strong problem-solving skills, ownership mindset, attention to detail, and ability to manage multiple testing activities in parallel.
Excellent English communication skills are required, with the ability to communicate fluently and confidently with client stakeholders, security teams, business users, and technical teams.
Nice-to-have Requirements
Prior experience working on penetration testing or security assessment projects for banks, fintechs, payment platforms, card systems, or financial institutions.
Good understanding of banking systems, digital banking, payments, cards, customer onboarding, AML/KYC, fraud management, account services, and transaction flows.
Familiarity with banking security practices and financial industry security requirements.
Familiarity with PCI DSS, ISO 27001, SOC 2, SWIFT Customer Security Controls
Framework, local banking regulations, or other financial industry security requirements.
Experience conducting secure code review or working with SAST tools to identify security issues in application code.
Experience integrating security testing into CI/CD pipelines and working with tools such as SAST, DAST, SCA, container scanning, or secrets detection.
Familiarity with cloud misconfiguration assessment, container security, Kubernetes security, Docker security, and infrastructure-as-code security checks.
Experience with controlled red team exercises, attack simulation, phishing simulation, or adversary emulation in authorized environments.
Ability to use Python, Bash, PowerShell, or similar scripting languages to automate testing, validation, or reporting tasks.
Experience building security testing methodology, playbooks, checklists, report templates, or quality review practices.
Experience mentoring junior or mid-level penetration testers and supporting capability development within a security testing team.
Relevant certifications such as CEH, eJPT, PNPT, OSCP, GWAPT, GPEN, CISSP, CISM, or equivalent are preferred.

WHAT'S ON OFFER

Competitive salary
13th-month salary guarantee
Performance bonus
Professional English course for employees
Premium health insurance
Extensive annual leave

CONTACT

PEGASI – IT Recruitment Consultancy | Email: recruit@pegasi.com.vn | Tel: +84 28 3622 8666
We are PEGASI – IT Recruitment Consultancy in Vietnam. If you are looking for new opportunity for your career path, kindly visit our website www.pegasi.com.vn for your reference. Thank you!

Job Summary

Company Type:

Outsource

Technical Skills:

Location:

Ho Chi Minh, Ha Noi - Viet Nam

Working Policy:

Hybrid

Job ID:

J02215

Status:

Active

Related Job:

(JTL) Tech Lead (ERP)

Ho Chi Minh - Viet Nam


Outsource

  • .NET
  • ReactJS
  • Azure

Leading, mentoring, and developing a cross-functional team of backend and frontend developers, and promoting technical ownership and continuous learning. Ensuring that technical direction and architecture across the stack follows the JTL guidelines and addressing any technical debts & challenges. Active involvement in designing and reviewing backend services, REST and GraphQL APIs in .NET, as well as React/TypeScript frontend components. Establishing and upholding engineering standards for code quality, maintainability, automated testing, and sustainable development practices. Leading technical discussions and design decisions, while balancing trade-offs in a complex, large-scale system. Advocating for AI-assisted development across the team and supporting engineers in utilizing AI tools effectively. Aligning backend and frontend teams and fostering close collaboration with quality engineers, architects, and product managers. Identifying technical risks, challenging assumptions, and driving continuous improvement.

Negotiation

View details

Tech Lead (C#/.NET - JTL AI Service Desk)

Ho Chi Minh - Viet Nam


Outsource

  • .NET
  • ReactJS
  • Azure

Create and enhance scalable backend services using C# and .NET technologies Guide architectural choices for distributed and service-oriented systems Construct dependable APIs, integrations, and asynchronous processing workflows Work with AI and data teams to incorporate intelligent automation capabilities into the platform Enhance platform reliability, observability, security, and performance Lead technical discussions, code reviews, and engineering best practices Coach engineers and promote technical development across the team Contribute to long-term platform strategy and technical roadmap Collaborate with frontend, DevOps, and product teams to produce high-quality solutions

Negotiation

View details

Tech Lead (Typescript/ Node.js - Pay Team)

Ho Chi Minh - Viet Nam


Outsource

  • NodeJS
  • ReactJS
  • Azure

Provide technical leadership and mentorship for a team of Senior Software Engineers, offering guidance on architectural decisions, code reviews, and best practices Conduct regular 1:1s, performance discussions, goal setting, and support personal development plans for the team Take ownership of team delivery, including sprint planning, backlog refinement, removing blockers, and ensuring reliable execution Act as the primary technical point of contact for the Product Manager and stakeholders Support recruitment efforts by participating in interviews and contributing to building the engineering team Cultivate a culture of quality, security, and continuous improvement within the team Contribute to the development and code ownership of the TypeScript-based Payment API and Hub App (React) Define and evolve the technical architecture, including API design, security model (OAuth2 / JWT), cloud infrastructure (Azure), and data flows Drive the roadmap for test automation, CI/CD pipelines (GitHub Actions), observability, and SLA compliance (24/7 availability) Evaluate and implement AI-assisted development tools to enhance team productivity Ensure PCI DSS compliance and secure-by-design practices across the entire stack Provide hands-on incident response and on-call escalation support.

Negotiation

View details