As Senior Risk Manager, you will act as the company's in-house adversary. Your mission is to think like a hackerprobing our payment systems, cloud infrastructure, and applications for weaknesses. You will lead penetration testing, red team exercises, and vulnerability validation, providing an independent assessment of our security posture. While the Head of Security builds and operates defenses, you will challenge those defenses through hands-on testing and risk validation. You will work closely with engineering, security, and IT Governance teams.
What you'll do:
- Offensive Security & Penetration Testing
- Lead and personally execute end-to-end penetration tests across web applications, APIs, mobile apps, cloud environments (AWS/GCP), and internal networks.
- Conduct red team exercises simulating real-world attackers, including adversarial tactics, techniques, and procedures (TTPs).
- Perform social engineering assessments (phishing simulations, physical security testing) as part of the overall risk validation program.
- Identify exploit chains that combine multiple vulnerabilities to demonstrate business impact.
- Vulnerability Management & Risk Validation
- Owning the vulnerability management program from a second-line perspectivevalidating findings from automated scans, external reports, and bug bounty programs.
- Conduct manual verification of critical vulnerabilities to eliminate false positives and assess exploitability.
- Prioritize vulnerabilities based on business impact, exploitability, and real-world threat intelligence.
- Track remediation progress and challenge engineering teams on closure quality.
- Security Architecture Review (Offensive Lens)
- Review security architecture for new products, payment integrations, and infrastructure changes from an attacker's perspective.
- Perform threat modeling to identify potential attack vectors before code is written.
- Assess API security, authentication mechanisms, and cloud configurations for misconfigurations that could lead to breaches.
- Red Team & Purple Team Collaboration
- Lead purple team exercises where you collaborate with the Head of Security's team to test detection and response capabilities.
- Provide actionable feedback to improve security monitoring, alerting, and incident response.
- Develop and maintain attack playbooks to simulate advanced persistent threat (APT) scenarios.
- Regulatory & Compliance Support (Technical)
- Ensure penetration testing and vulnerability management programs meet MAS Technology Risk Management (TRM) and PCI-DSS requirements.
- Prepare technical risk reports for the Board, Audit & Risk Committee, and regulators, translating exploit scenarios into business risk language.
- Provide technical evidence for audits and regulatory submissions related to security testing.
- Threat Intelligence & Adversary Emulation
- Stay current on emerging attack techniques, zero-day vulnerabilities, and fintech-specific threats.
- Incorporate threat intelligence into testing scenarios to ensure relevance to the payment industry.
What we're looking for:
- 8+ years in information security, with at least 5 years of hands-on penetration testing and offensive security experience.
- Proven track record of leading penetration testing engagements in financial services, fintech, or payments.
- Deep experience with web applications, API, cloud, and mobile application testing.
- Proven experience in fintech, payments, or financial services, ideally within an MAS-licensed environment.
- Proficiency with penetration testing tools: Burp Suite, Metasploit, Cobalt Strike, Nmap, BloodHound, Kali Linux, etc.
- Ability to translate technical findings into business risk for senior leadership and the Board.
- Excellent written communication for producing high-quality penetration test reports and risk memos.
- Deep expertise in MAS TRM, PCI-DSS, and cloud security (AWS/GCP).
- Experience managing security operations, incident response, and threat defense in production environments.
