Red Team Manager

Who Are We

dtcpay is a MAS licensed payment service provider that bridges traditional finance and digital assets. We enable businesses to accept and make payments in both fiat and digital currencies, delivering secure, efficient, and seamless payment experiences across borders. As we expand globally, we are shaping the future of digital payments.

We are also recognised as one of Singapore's Top 10 Startups in the LinkedIn Top Startups 2025 list, a reflection of our momentum and the exciting journey ahead for our team.

The Red Team Manager leads dtcpay's offensive security capability - a dedicated team of ethical hackers responsible for simulating nation-state and financially motivated threat actors across all dtcpay environments. This role combines deep hands-on technical expertise with strategic leadership, programme governance, and a thorough command of technology-risk and data-privacy regulations across Singapore, Malaysia, the United Kingdom, the European Union, and the broader Asia-Pacific region. The Red Team Manager will work closely with the CISO, Blue Team, GRC, Legal, and Product teams to translate adversarial findings into measurable risk-reduction outcomes.

Work Arrangement: Fully On-site

Location: Cecil Street, Singapore

What You'll Do:

1. Red Team Operations & Programme Leadership

• Design, plan, and execute full-scope red team engagements (network, application, cloud, social engineering, physical) against dtcpay's production and pre-production environments.
• Develop and maintain adversary emulation plans aligned with MITRE ATT&CK, TIBER-EU, and MAS TPRM threat intelligence.
• Lead purple-team exercises with the SOC and Blue Team to validate detection and response controls.
• Manage the end-to-end bug-bounty programme, triaging findings and coordinating remediation SLAs with engineering.
• Maintain the red team infrastructure (C2 frameworks, implants, phishing simulation platforms) to production-safe standards.

2. People & Team Management

• Hire, mentor, and retain a high-performing team of Red Team Operators, Penetration Testers, and Threat Intelligence Analysts.
• Define career paths, training budgets, and certification goals (OSCP, OSED, CRTO, PNPT, GXPN).
• Foster a culture of continuous learning, responsible disclosure, and professional ethics.
• Conduct regular skills assessments and rotate operators across specialisations (web, mobile, OT/IoT, cloud).

3. Technology Risk Management & Governance

• Translate red team findings into structured risk statements aligned with dtcpay's enterprise risk framework (ISO 31000, NIST RMF).
• Interface with the GRC team to update the risk register, contribute to board-level risk dashboards, and evidence remediation for auditors.
• Define and track KPIs / KRIs for offensive security: mean time to detect (MTTD), mean time to respond (MTTR), attack-surface-reduction metrics.
• Participate in third-party and supply-chain risk assessments for critical technology vendors.
• Represent offensive security in change-advisory and architecture review processes.

4. Regulatory Compliance & Privacy Requirements

• Ensure all red team activities are conducted within legal and regulatory boundaries across all operating jurisdictions, including obtaining appropriate written authorisations.
• Advise on security controls required to meet obligations under MAS TRM, PDPA, GDPR, UK GDPR, PDPD, and related frameworks.
• Collaborate with Legal and DPO to ensure personal data encountered during engagements is handled, minimised, and destroyed in compliance with applicable data-protection laws.
• Contribute to regulatory engagement: respond to MAS, ICO, and supervisory authority queries; prepare evidence packs for technology-risk examinations.
• Track regulatory developments and proactively update engagement rules of engagement and red team policies.

5. Reporting & Stakeholder Communication

• Produce executive-level and technical red team reports with clear risk ratings (CVSS, DREAD), business-impact narratives, and prioritised remediation roadmaps.
• Present findings to CISO, CTO, and Risk Committee; tailor communication to both technical and non-technical audiences.
• Maintain a historical findings database to trend residual risk over time and demonstrate programme maturity.

What We're Looking For:

• 8+ years of hands-on offensive security experience with at least 3 years in a team leadership or management capacity.
• Demonstrated expertise in adversary emulation, red team operations, and penetration testing across web applications, cloud (AWS/Azure/GCP), mobile (iOS/Android), APIs, and internal networks.
• Proven experience operating within a regulated financial-services or payment-industry environment.
• Deep working knowledge of MAS TRM Guidelines, UK GDPR / FCA Operational Resilience, GDPR, and DORA.
• Proficiency in red team tooling: Cobalt Strike / Brute Ratel, Sliver, Metasploit, Burp Suite Pro, BloodHound, Impacket, custom tooling development (Python, C#, PowerShell).
• Familiarity with cloud-native attack techniques (IAM abuse, SSRF, container escape, serverless exploitation).
• Exceptional written and verbal communication; ability to present technical risk findings to senior executives and board members.
• Bachelor's degree or higher in Computer Science, Information Security, or equivalent.

Preferred Certifications

• Offensive: OSCP / OSED / OSWE / OSMR, CRTO / CRTE, GXPN, PNPT, CCT INF / CRT
• Governance & Risk: CISSP, CISM, CRISC, CDPSE, CIPP/A or CIPP/E
• Cloud: AWS Security Specialty, Azure Security Engineer, Google PCSE

Preferred Experience

• Experience with TIBER-EU or iCAST (MAS Intelligence-led Cyber Attack Simulation Testing) engagements.
• Prior engagement with regulators (MAS, ICO, BNM, FCA) on technology-risk or security incidents.
• Exposure to blockchain, digital-asset custody, or crypto-payment infrastructure security testing.
• Experience building or scaling red team programmes from the ground up.