The Offensive Security Expert is responsible for proactively identifying, validating, and reporting security vulnerabilities across the organization's web applications, mobile applications, APIs, cloud environments, and enterprise systems. The role involves conducting comprehensive penetration testing, vulnerability assessments, adversary simulations, and security configuration reviews to assess the effectiveness of security controls and identify potential attack vectors.
The ideal candidate should possess strong hands-on experience in offensive security, a deep understanding of modern attack techniques and defensive controls, and experience working within a banking or other highly regulated environment. They should be capable of independently executing end-to-end security assessments while effectively communicating technical risks and remediation recommendations to both technical and business stakeholders.
Offensive Security Assessments
• Conduct comprehensive penetration testing of mobile applications (Android/iOS), web applications, APIs, internal and external infrastructure, wireless networks, cloud environments, and enterprise applications.
• Perform authenticated and unauthenticated security assessments using both automated and manual testing techniques.
• Execute black-box, grey-box, and white-box security assessments.
• Validate vulnerabilities identified through automated vulnerability scanners and eliminate false positives.
Red Team & Adversary Simulation
• Execute controlled attack simulations to assess the organization's detection and response capabilities.
• Simulate adversary tactics, techniques, and procedures (TTPs) based on industry frameworks such as MITRE ATT&CK.
• Conduct credential attacks, privilege escalation, lateral movement, and post-exploitation activities within approved scopes.
• Assist in purple team exercises by collaborating with SOC and Blue Team personnel.
Web & Mobile Security
• Assess applications against the OWASP Top 10, OWASP API Security Top 10, and OWASP Mobile Top 10.
• Perform source-assisted security testing where applicable.
• Identify authentication, authorization, session management, business logic, and API security weaknesses.
• Assess mobile application security, including reverse engineering, static and dynamic analysis, SSL pinning bypass, and runtime protection validation.
Infrastructure & Network Security
• Perform internal and external infrastructure penetration testing.
• Assess Active Directory environments for common attack paths and privilege escalation opportunities.
• Perform cloud security assessments for Azure, AWS, and GCP environments where applicable.
Vulnerability Validation & Security Assurance
• Verify remediation of security findings through re-testing.
• Conduct secure architecture reviews and provide remediation recommendations.
• Validate the effectiveness of implemented security controls.
Reporting & Documentation
• Prepare detailed technical penetration testing reports with clear proof-of-concepts, risk ratings, and remediation guidance.
• Present findings to technical teams and management.
• Maintain testing methodologies, playbooks, and reusable testing scripts.
Security Research
• Stay updated on emerging threats, attack techniques, CVEs, and exploitation methodologies.
• Develop proof-of-concepts for newly disclosed vulnerabilities where applicable.
• Contribute to offensive security automation and custom tooling.
Collaboration
• Work closely with application development, DevOps, infrastructure, network, and security operations teams.
• Provide technical guidance on secure coding practices and remediation strategies.
• Support compliance initiatives requiring penetration testing and security validation.
• Support internal and external security audits, regulatory assessments, and compliance reviews by providing technical expertise, evidence, vulnerability validation, remediation support, and timely closure of audit observations.
Additional Responsibilities
• Additional Responsibilities: Perform other duties within the scope of work as instructed by the direct manager.
Job Requirements:
• Bachelor's degree in Computer Science, Information Security, Cyber Security, or a related discipline.
• 2–5 years of hands-on experience in offensive security, penetration testing, or ethical hacking.
• Prior experience in the banking or financial services sector is required, with a strong understanding of applicable regulatory and industry security frameworks
Mobilink Microfinance Bank Ltd. is providing banking services to over 48 million registered users including 20+ million monthly active customers across Pakistan. With a hybrid model that combines traditional microfinance with mobile/digital banking technologies, the bank now operates with over 114 branches and 270,000 branchless banking agents and provides a USSD (GSM) based digital channel offering savings, micro enterprise (MSME) loans, small housing loans, remittances, collection (utility bills and loan installments), mobile wallets, insurance, G2P, B2B & B2P payments; thus, playing a leading role in the promotion of financial inclusion.
MMBL is committed to fostering a positive and productive workplace, and our core values reflect this focus. These values include promoting innovation and entrepreneurship, encouraging teamwork and collaboration, and prioritizing a customer-centric approach in all aspects of our business.
Why Join MMBL ?
This is an opportunity for someone who is passionate about making a difference and playing a key role in driving transformative change. Our team is committed to empowering millions with the tools necessary to succeed in the digital age, and we're looking for a talented individual to join us in this endeavor.