Consultant - Forensics - National - ASU - Forensics - Investigations & Compliance - Gurgaon

Requisition Id: 1676948

As a global leader in assurance, tax, transaction and advisory services, we hire and develop the most passionate people in their field to help build a better working world. This starts with a culture that believes in giving you the training, opportunities and creative freedom. At EY, we don't just focus on who you are now, but who you can become. We believe that it’s your career and ‘It’s yours to build’ which means potential here is limitless and we'll provide you with motivating and fulfilling experiences throughout your career to help you on the path to becoming your best professional self.

The opportunity : Consultant-National-Forensics-ASU - Forensics - Investigations & Compliance - Gurgaon

National :

National comprises of sector agnostic teams working across industries for a well rounded experience.

ASU - Forensics - Investigations & Compliance :

Successful organizations depend on their reputation for keeping promises, respecting laws and behaving ethically to maintain stakeholder trust. EY Forensic & Integrity Services professionals help organizations protect and restore enterprise and financial reputation. We assist companies and their legal counsel to investigate facts, resolve disputes and manage regulatory challenges. We put integrity at the heart of compliance programs to help better manage ethical and reputational risks. 

Our integrated approach ranges from enhancements in areas of perceived weakness or issues — including governance, controls, culture and data insights — to full organizational design and structural implementation. We want to help companies safeguard and restore financial and brand reputations. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over.

Your key responsibilities

Technical Excellence

• Offensive Security Testing and Application Security Analyst Job Role Description A professional in this role will assist in identifying, exploiting, validating and helping remediate security weaknesses in applications, infrastructure, and cloud environments. The job blends ethical hacking, secure development practices, threat modelling, and vulnerability and penetration testing . The candidate should be able to:
• Identify vulnerabilities in application, network, mobile app and databases.
• Accurately assess real world exploitability and business impact.
• Deliver clear, concise, actionable remediation guidance.
• Build strong relationships with clients.
• Automate repetitive tasks (integrate scanners, scripts, tooling).
• Contribute to overall reduction of critical/high vulnerabilities for client. 1. Core Responsibilities (a) Offensive Security / Penetration Testing: Capable of Conducting vulnerability assessment and penetration tests on: o Web applications o APIs o Mobile apps o Internal/external networks o Cloud platforms
• Perform vulnerability exploitation to validate risk.
• Simulate real-world attack techniques (OWASP, MITRE ATT\&CK).
• Develop custom scripts, payloads, or tools as needed.
• Document proof of concept exploits and attack chains. (b) Application Security (AppSec) Support
• Perform secure code reviews (manual + automated).
• Analyze architecture to identify security flaws early in the SDLC.
• Support development teams in remediating vulnerabilities.
• Maintain and improve security testing pipelines (SAST, DAST, SCA).
• Participate in design reviews and threat modeling sessions. (c) Red Teaming
• Planning & scoping (including legal boundaries)
• Knowledge of modern systems, networks, and applications are architected including cloud.
• Should understand common security controls (firewalls, IAM, SIEM, EDR, segmentation, logging).
• Understanding of common vulnerabilities (e.g., OWASP Top 10—conceptually, not step-by-step exploitation).
• Mapping attack paths, choke points, and high-value targets.
• Understanding TTPs (Tactics, Techniques, Procedures) of advanced adversaries—e.g., MITRE ATT&CK knowledge
• Good understanding of Windows internals, Linux fundamentals, Authentication workflows (Kerberos, NTLM conceptually).
• Good understanding of TCP/IP fundamentals, Protocols (DNS, HTTP, SMB, RDP), how traffic moves across enterprise networks (routing, switching, VLANs) (d) Threat Modeling & Security Assessments
• Use frameworks like STRIDE, LINDDUN, or attack trees.
• Identify misuse cases, trust boundaries, and threat vectors.
• Recommend security controls to mitigate risks. 2. Tools & Technologies Used: The candidate should have sufficient knowledge on: (a) Offensive Security Tools
• Burp Suite, OWASP ZAP
• Nmap, Nessus, OpenVAS
• Metasploit
• SQLmap
• Wireshark
• Postman / API testing tools (b) AppSec Tools
• SAST: SonarQube, Fortify, Checkmarx
• DAST: Burp Suite Pro, AppScan
• SCA: Snyk, GitHub Dependabot, BlackDuck
• Container/Cloud scanning tools (Trivy, Prisma Cloud) (c) Scripting & Programming
• Python, Bash, PowerShell, JavaScript
• Familiarity with common application stacks (Java, .NET, Node.js) 3. Required Skills & Competencies: The candidate should have: (a) Technical Skills
• Strong understanding of: o Web technologies (HTTP, sessions, authentication) o API security (OAuth2, JWT, rate limiting) o OWASP Top 10 & OWASP API Top 10 o Authentication/Authorization patterns o Secure cloud architecture (AWS/Azure/GCP)
• Ability to exploit: o XSS, SQLi, IDOR, SSRF, RCE, CSRF o Deserialization, logic flaws o Permission & role escalation weaknesses
• Knowledge of DevSecOps pipelines. (b) Soft Skills
• Clear communication of vulnerabilities and business impact.
• Ability to work directly with developers in a collaborative way.
• Strong analytical and problem solving skills.
• Proactive mindset—ability to identify gaps before adversaries do. 4. Experience & Qualifications
• 2–5 years of experience in security testing, penetration testing, or application security.
• Bachelor's degree in CS/IT/Cybersecurity (or equivalent experience).
• Preferred certifications (not mandatory, but highly valued): o OSCP (Offensive Security Certified Professional) o OSWE/OSWA/OSCE3 o Burp Suite Certified Practitioner (BSCP) o GWAPT (GIAC Web Application Penetration Tester) o CPTS (Certified Penetration Testing Specialist)
• Hands-on penetration testing and Red Teaming experience is more important than certifications.

Skills and attributes

To qualify for the role you must have
Qualification

• Bachelor of Technology in Computer Science

Experience

• Offensive security testing (Consultant) (3+ Years)

What we look for

People with the ability to work in a collaborative manner to provide services across multiple client departments while following the commercial and legal requirements. You will need a practical approach to solving issues and complex problems with the ability to deliver insightful and practical solutions. We look for people who are agile, curious, mindful, and able to sustain positive energy, while being adaptable and creative in their approach.

What we offer

Fuelled by the brilliance of our people, EY has emerged as the strongest brand and the most attractive employer in our field, with market-leading growth over competitors. Our people work side-by-side with market-leading entrepreneurs, game-changers, disruptors, and visionaries. As an organization, we are investing more time, technology, and money than ever before in skills and learning for our people. At EY, you will have a personalized Career Journey and also the chance to tap into the resources of our career frameworks to better know about your roles, skills, and opportunities.

EY is equally committed to being an inclusive employer, and we strive to achieve the right balance for our people—enabling us to deliver excellent client service while allowing our people to build their careers as well as focus on their wellbeing.

If you can confidently demonstrate that you meet the criteria above, please contact us as soon as possible.

Join us in shaping the future with confidence. Apply Now