Offensive Security Senior Engineer Deloitte

Position Summary
Location
Egypt Delivery Center
Deloitte Innovation Hub | Cyber Security | Offensive Security Senior Engineer, Cairo, Egypt.
Connect to your opportunity.
At Deloitte, you will make a real impact by working on diverse projects and collaborating with experts to deliver innovative solutions. As an Offensive Security Senior Engineer , you will focus on adversary emulation and red teaming to simulate advanced persistent threats (APTs) and cyberattacks. Using frameworks like MITRE ATT&CK, you will test the resilience of our security controls and incident response capabilities. Additionally, you will conduct penetration testing on web applications, mobile apps, APIs, and networks, using scripting, defense evasion techniques, and code review to identify and exploit vulnerabilities.
Your role might include all the following:
Red Teaming and Penetration Testing
• Lead red team engagements to emulate the TTPs of advanced adversaries, using frameworks like MITRE ATT&CK and Caldera to simulate real-world attack scenarios.
• Design and execute complex attack chains, including initial access, privilege escalation, lateral movement, data exfiltration, and persistence, to test the effectiveness of security controls.
• Simulate sophisticated threats such as nation-state actors, ransomware groups, and insider threats to identify gaps in detection and response processes.
• Conduct penetration testing across web applications, networks, cloud environments, and internal systems to identify vulnerabilities and validate red team findings.
• Test for vulnerabilities in web applications (e.g., SQL injection, XSS, CSRF, IDOR, OWASP Top 10), mobile apps (iOS and Android), and APIs (REST, GraphQL, SOAP).
• Use tools like Burp Suite, OWASP ZAP, Frida, and MobSF to identify and exploit vulnerabilities in diverse attack surfaces.
Web Application Security
• Conduct in-depth penetration testing of web applications to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), and other OWASP Top 10 issues.
• Test for business logic flaws, session management issues, and authentication/authorization vulnerabilities in web applications.
• Use tools like Burp Suite, OWASP ZAP, and manual techniques to identify and exploit web application vulnerabilities.
Scripting and Automation
• Write and maintain custom scripts (e.g., in Python, PowerShell, Bash, or JavaScript) to automate attack techniques, payloads, and reconnaissance processes for web, mobile, and API testing.
• Build tools to streamline pentesting workflows, such as automated vulnerability scanning, exploitation, and post-exploitation activities.
• Create scripts to bypass web application firewalls (WAFs), evade detection, and test the resilience of blue team defenses.
Defense Evasion Techniques
• Research and implement advanced defense evasion techniques to bypass endpoint detection and response (EDR), antivirus, WAFs, and other security solutions.
• Develop obfuscation methods for payloads and exploits to avoid detection by SIEM, IDS/IPS, and other monitoring tools.
• Stay updated on the latest evasion techniques and adapt strategies to simulate sophisticated adversaries targeting web applications and other systems.
Code Review & Secure Development:
• Perform thorough code reviews to identify vulnerabilities in web applications, APIs, and mobile apps, focusing on languages such as Java, JavaScript, Python, PHP, or C#.
• Identify insecure coding practices, such as improper input validation, lack of output encoding, and insecure API integrations.
• Collaborate with development teams to provide actionable recommendations for secure coding practices and remediation of identified vulnerabilities.
Mobile and API Security
• Perform penetration testing on mobile applications (iOS and Android) to identify vulnerabilities such as insecure storage, improper session handling, and weak authentication mechanisms.
• Assess API security (REST, GraphQL, SOAP) for issues like broken authentication, excessive data exposure, and lack of rate limiting.
• Use tools like Burp Suite, Frida, and MobSF to analyze mobile and API attack surfaces and develop exploits for identified vulnerabilities.
Connect to your skills and professional experience
• Bachelor s degree in Cybersecurity, information technology, computer science, or a relevant degree.
• Minimum 3+ years of hands-on experience in penetration testing, red teaming, or related offensive security roles.
• Analytical capabilities, critical thinking, and problem-solving mindset (ability to analyze complex data and information to identify key insights and trends).
• Proficient in English speaking and writing.
• Flexibility for travel and working hours.
• strong proficiency in web application pentesting tools such as Burp Suite, OWASP ZAP, and manual testing techniques.
• Proficiency in scripting languages such as Python, PowerShell, Bash, or JavaScript for automation and tool development.
• Deep understanding of defense evasion techniques, including bypassing WAFs, EDR, and AV solutions.
• Expertise in code review for identifying vulnerabilities in web applications, APIs, and mobile apps.
• Strong knowledge of mobile security testing tools (e.g., Frida, MobSF, Drozer) and API testing tools (e.g., Postman, Burp Suite).
• Familiarity with common pentesting tools like Metasploit, Nmap, Cobalt Strike, BloodHound, and Kali Linux.
• Understanding of cloud environments (AWS, Azure, GCP) and their associated attack vectors.
The following attributes are also preferable:
• Relevant certifications such as OSCP, OSWE, OSEP, CRTO, CRTP, GWAPT, GXPN, or equivalent are a plus.
• Active participation in CTF competitions with demonstrated achievements.
• Experience with penetration testing of AI systems and Large Language Models (LLMs), including testing for vulnerabilities like prompt injection, data poisoning, model inversion, or adversarial attacks.
• Experience with adversary emulation frameworks like MITRE ATT&CK or Caldera.
• Knowledge of secure software development lifecycle (SDLC) and DevSecOps practices.
• Contributions to the security community through blogs, tools, or conference talks.
• Familiarity with container security (Docker, Kubernetes) and serverless architectures.