Skip to main content
Application Security

Security Researcher (Web Application)

Hands-on web application penetration testing with end-to-end ownership of scoping, testing, reporting, and remediation walkthroughs for enterprise customers.

📍 Mumbai / Remote 🗓 Full-time 📊 Mid
web application penetration testingburp suiteOWASPAPI securitymanual testingreporting

Ready to apply?

Send us your CV and a short note on why this role excites you.

Apply Now →

Usually responds within 2 business days

About the Role

Security Brigade is hiring a Security Researcher to join our application security practice. You will run hands-on web application penetration tests for enterprise customers across BFSI, fintech, healthcare, and SaaS — backed by our Lemon audit-management platform and reviewed through our L1/L2/L3 senior chain so you grow under structured supervision from day one. You will own the full lifecycle: scoping with the customer, executing the test, documenting findings with proof-of-concept evidence, walking remediation owners through fixes, and revalidating closures. The role is a strong fit for engineers two to four years into application security who want depth — and a direct path to senior research as we scale.

What You'll Do

  • Run web application penetration tests end-to-end on customer applications
  • Apply manual testing techniques alongside Burp / OWASP ZAP / custom tooling — automated scanners are a start, not a finish
  • Document findings with clear proof-of-concept, business impact, and remediation guidance — written for engineering teams to act on
  • Walk customer engineering teams through findings; advise on fixes; revalidate closures
  • Contribute to internal research, methodology updates, and Lemon platform improvements

What We're Looking For

  • 2+ years of hands-on web application penetration testing experience
  • Strong working knowledge of OWASP Top 10 (web) and common business-logic flaw patterns
  • Proficient with Burp Suite (Pro a plus), and comfortable writing custom payloads / extensions where needed
  • Comfortable reading and reasoning about modern application stacks (React / Angular / Vue front-ends; Node / Django / Rails / Spring back-ends; REST + GraphQL APIs)
  • Excellent written English for report-quality output
  • Practical lab experience on Hack The Box, PortSwigger Web Security Academy, or TryHackMe a strong signal

What We Offer

  • Competitive salary aligned to experience
  • Hybrid + remote-friendly
  • Sponsorship for OSCP, OSWE, BSCP, or equivalent certifications
  • Internal lab environment for research time
  • Direct mentorship from L2/L3 senior researchers on every engagement

Quick Facts

Team Application Security
Location Mumbai / Remote
Type Full-time
Level Mid
Posted 1 May 2026
Apply for This Role →
← Back to all open positions