We are seeking a hands-on Security Consultant to conduct penetration testing and security assessments across web applications, APIs, internal and external infrastructure, cloud environments, and mobile platforms. The successful candidate will lead or support end-to-end security testing engagements, identify exploitable weaknesses, validate security controls, and provide practical remediation guidance to clients and internal stakeholders.
This role is intended for a consultant who is qualified to support licensed penetration testing work in Singapore and who can deliver high-quality, defensible, and professional security assessment reports.
Key Responsibilities
- Perform penetration testing, vulnerability assessment, and security validation across web, API, network, cloud, and mobile environments.
- Execute manual testing alongside automated tooling to identify, validate, and document vulnerabilities.
- Conduct reconnaissance, threat modelling, attack-path analysis, exploitation, privilege escalation, and post-exploitation where authorised.
- Assess security architecture, configurations, authentication flows, access controls, and segmentation.
- Produce clear technical reports with risk ratings, attack narratives, proof of concept, business impact, and prioritised remediation advice.
- Present findings to technical teams, project stakeholders, and client leadership.
- Support remediation validation and re-testing after fixes are implemented.
- Ensure all testing is conducted ethically, safely, and within approved rules of engagement.
- Maintain testing artefacts, methodologies, and documentation in line with company and regulatory requirements.
- Contribute to internal capability development, playbooks, tooling, and mentoring of junior consultants.
Mandatory Requirements
- Bachelor's degree in Cybersecurity, Computer Science, Information Security, Engineering, or equivalent practical experience.
- 3+ years of hands-on experience in penetration testing, red teaming, adversary simulation, or security assessment.
- Strong experience in at least two of the following:Web application security testingAPI security testingNetwork / infrastructure penetration testingCloud security testingMobile application security testing
- Solid understanding of common security weaknesses, including OWASP Top 10, authentication and session flaws, insecure configurations, privilege escalation, and lateral movement.
- Strong reporting, communication, and stakeholder management skills.
- Familiarity with tools such as Burp Suite, Nmap, Metasploit, Nessus, BloodHound, Wireshark, ffuf, sqlmap, and relevant scripting languages.
Singapore Regulatory / Compliance Requirement
- Must be able to perform penetration testing engagements in Singapore under a valid Cybersecurity Services Regulation Office (CSRO) penetration testing service licence.
- For independent consultants or freelancers, an individual CSRO licence is required.
- For employees of a penetration testing company, the work must be delivered through a properly licensed business entity providing penetration testing services in Singapore.
Required / Strongly Preferred Certifications
Candidates should hold at least one recognised baseline penetration testing certification, with additional domain certifications preferred.
Baseline preferred certifications
- OSCP (Offensive Security Certified Professional) - strongly preferred
- CREST CRT (CREST Registered Tester) - strongly preferred
These are the baseline certifications specifically named in Singapore Government security testing guidance for penetration testers.
Additional preferred certifications by domain
- Web application testing: OSWE, Burp Suite Certified Practitioner, eWPT, GWAPT, CREST CCT APP
- Network / infrastructure testing: OSEP, GPEN, eCPPT
- Cloud security: cloud security certifications are useful, but for pure penetration testing roles they are best treated as complementary rather than substitutes for OSCP/CRT
- General credibility in the Singapore market: CREST certifications are especially well recognised given CSA's support for the CREST Singapore chapter.
Nice-to-Have
- Experience with red teaming, assumed breach, or purple teaming.
- Experience testing Active Directory, Microsoft 365, Azure, AWS, or GCP environments.
- Familiarity with secure code review and DevSecOps.
- Exposure to regulated sectors such as financial services, government, healthcare, or critical information infrastructure.
- Ability to write scripts or lightweight tooling in Python, PowerShell, Bash, or Go.
