Deloitte Global

At Deloitte, you will make a real impact by working on diverse projects and collaborating with experts to deliver innovative solutions. As an Offensive Security Senior Engineer, you will focus on adversary emulation and red teaming to simulate advanced persistent threats (APTs) and cyberattacks. Using frameworks like MITRE ATT&CK, you will test the resilience of our security controls and incident response capabilities. Additionally, you will conduct penetration testing on web applications, mobile apps, APIs, and networks, using scripting, defense evasion techniques, and code review to identify and exploit vulnerabilities.

Your role might include all the following:

Red Teaming and Penetration Testing

• Lead red team engagements to emulate the TTPs of advanced adversaries, using frameworks like MITRE ATT&CK and Caldera to simulate real-world attack scenarios.
• Design and execute complex attack chains, including initial access, privilege escalation, lateral movement, data exfiltration, and persistence, to test the effectiveness of security controls.
• Simulate sophisticated threats such as nation-state actors, ransomware groups, and insider threats to identify gaps in detection and response processes.
• Conduct penetration testing across web applications, networks, cloud environments, and internal systems to identify vulnerabilities and validate red team findings.
• Test for vulnerabilities in web applications (e.g., SQL injection, XSS, CSRF, IDOR, OWASP Top 10), mobile apps (iOS and Android), and APIs (REST, GraphQL, SOAP).
• Use tools like Burp Suite, OWASP ZAP, Frida, and MobSF to identify and exploit vulnerabilities in diverse attack surfaces.

Web Application Security

• Conduct in-depth penetration testing of web applications to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), and other OWASP Top 10 issues.
• Test for business logic flaws, session management issues, and authentication/authorization vulnerabilities in web applications.
• Use tools like Burp Suite, OWASP ZAP, and manual techniques to identify and exploit web application vulnerabilities.

Scripting and Automation

• Write and maintain custom scripts (e.g., in Python, PowerShell, Bash, or JavaScript) to automate attack techniques, payloads, and reconnaissance processes for web, mobile, and API testing.
• Build tools to streamline pentesting workflows, such as automated vulnerability scanning, exploitation, and post-exploitation activities.
• Create scripts to bypass web application firewalls (WAFs), evade detection, and test the resilience of blue team defenses.

• Research and implement advanced defense evasion techniques to bypass endpoint detection and response (EDR), antivirus, WAFs, and other security solutions.
• Develop obfuscation methods for payloads and exploits to avoid detection by SIEM, IDS/IPS, and other monitoring tools.
• Stay updated on the latest evasion techniques and adapt strategies to simulate sophisticated adversaries targeting web applications and other systems.

Code Review & Secure Development:

• Perform thorough code reviews to identify vulnerabilities in web applications, APIs, and mobile apps, focusing on languages such as Java, JavaScript, Python, PHP, or C#.
• Identify insecure coding practices, such as improper input validation, lack of output encoding, and insecure API integrations.
• Collaborate with development teams to provide actionable recommendations for secure coding practices and remediation of identified vulnerabilities.

Mobile and API Security

• Perform penetration testing on mobile applications (iOS and Android) to identify vulnerabilities such as insecure storage, improper session handling, and weak authentication mechanisms.
• Assess API security (REST, GraphQL, SOAP) for issues like broken authentication, excessive data exposure, and lack of rate limiting.
• Use tools like Burp Suite, Frida, and MobSF to analyze mobile and API attack surfaces and develop exploits for identified vulnerabilities.