EY-Cyber Security-Offensive Security-Manager

EY – Cyber Security – Manager – Offensive Security

Job Listing Detail

At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture, and technology to become the best version of you. We’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all.

The Opportunity

We’re looking for a Manager in our Cyber Security team with a strong focus on Offensive Security, Red Teaming, Cloud‑native VAPT, and DevSecOps security assurance. Exposure to AI, ML, and GenAI security assessments is considered a desirable and good‑to‑have capability, as organizations increasingly adopt AI‑enabled technologies.

As part of our Cyber Technology Consulting practice, you will play a key role in leading and delivering offensive security services to clients across the MENA region. You will work with leading organizations across sectors including Financial Services, Government & Public Sector, Energy, Telecom, Healthcare, and Digital-native enterprises, helping them proactively identify vulnerabilities, simulate advanced adversaries, and strengthen their cyber resilience.

This role offers a unique opportunity to operate at the intersection of deep technical expertise, strategic advisory, and large-scale transformation, while contributing to the growth of our Offensive Security competency.

Your Key Responsibilities

Client Delivery And Engagement Management

• Lead and deliver end-to-end offensive security engagements, including:
• Network and infrastructure penetration testing
• Web and mobile application security testing
• API security assessments (REST, SOAP, GraphQL, microservices)
• Cloud security testing across AWS, Azure, and GCP
• Plan and execute red team / adversary simulation / assumed breach exercises, emulating real-world threat actors to test organizational detection and response capabilities.
• Execute and oversee purple teaming engagements, enabling alignment between offensive findings and defensive improvements (SOC, detection engineering, incident response).

• Conduct and lead cloud offensive security assessments and validate effectiveness of controls across all layers and workloads within AWS, Azure, and GCP, including IAM, network, storage, container, serverless, and DevSecOps pipeline components.
• Assess cloud misconfigurations, identity abuse paths, privilege escalation scenarios, insecure pipeline configurations, exposed secrets, and lateral movement techniques across hybrid and cloud native environments.
• Perform penetration testing and security assessments of cloud native architectures, APIs, microservices, Kubernetes, infrastructure as code, container images, and CI/CD pipelines to identify weaknesses across the secure software delivery lifecycle.

• Assess and validate CSPM / CNAPP controls, identifying configuration gaps, privilege escalation paths, and exposure risks in cloud-native environments.
• Deliver AI/GenAI security assessments, including (Desirable / Good‑to‑Have):
• Prompt injection and adversarial input risks
• Model misuse and abuse scenarios
• Data leakage and insecure integration risks
• AI governance and secure deployment considerations
• Translate technical vulnerabilities into business risk insights, including attack paths, impact analysis, and prioritized remediation strategies.

Stakeholder Engagement And Advisory

• Serve as a trusted advisor to CISOs, CIOs, security leaders, and engineering teams, articulating security risks in a business-relevant and outcome-driven manner.
• Present complex offensive security findings to both technical and executive audiences, tailoring messaging appropriately.
• Support clients in developing offensive security roadmaps, maturity models, and remediation programs aligned to leading practices.

Practice And Capability Development

• Contribute to building the Offensive Security practice, including:
  • Development of methodologies, testing playbooks, and accelerators
  • Creation of reusable assets and frameworks
  • Standardization of delivery approaches and quality benchmarks
• Support go-to-market initiatives, thought leadership, and client pursuits:
  • RFP/RFI responses
  • Solution positioning and capability presentations
  • Market-facing content development (whitepapers, POVs)
• Stay ahead of evolving threat landscape, including:
  • Advanced attacker techniques and exploit trends
  • API and cloud-native attack vectors
  • AI/ML security risks and emerging vulnerabilities

People Leadership And Team Development

• Manage and mentor a team of consultants and senior consultants, fostering:
  • Deep technical capability in offensive security domains
  • High-quality delivery and reporting standards
  • Continuous learning and certification progression
• Provide performance feedback, coaching, and career guidance aligned with firm values.
• Build a collaborative, high-performance culture within the Offensive Security team.

Skills and Attributes for Success

• Strong hands-on expertise in offensive security methodologies, including penetration testing, exploit development, adversary simulation, and attack path analysis.
• Deep understanding of:
  • OWASP Top 10 and API Security Top 10
  • Authentication and authorization mechanisms (OAuth, JWT, SSO, etc.)
  • Business logic vulnerabilities and modern application architectures
• Proven experience in API security testing and microservices environments.
• Strong working knowledge of cloud security risks, including:
  • Misconfigurations, IAM weaknesses, secrets exposure, lateral movement
  • Cloud-native architectures and shared responsibility model
• Familiarity with CSPM, CNAPP, and CIEM concepts and their practical implementation.
• Awareness of AI security risks, including adversarial attack techniques, prompt injection, and model governance concerns.
• Strong analytical and problem-solving ability with attention to detail.
• Ability to convert complex technical findings into clear, risk-based narratives.
• Excellent communication, stakeholder management, and consulting skills.
• Proven ability to manage multiple engagements in parallel with strong quality and delivery discipline.

To Qualify for the Role, You Must Have

• A bachelor’s or master’s degree in cyber security, Information Technology, Computer Science, or related discipline.
• 10–14 years of experience in Cyber Security, with strong focus on Offensive Security and advanced VAPT.
• Strong knowledge of OWASP Top 10, OWASP API Security, SANS Top 25, and MITRE ATT&CK.
• Hands-on experience delivering:
  • VAPT engagements across network, application, API, and cloud layers
  • Red team / adversary simulation exercises
  • Cloud security assessments
  • Proven experience delivering Red Team, Cloud native penetration testing, and DevSecOps security validation engagements across modern engineering environments.
  • Hands on experience testing AWS, Azure, or GCP environments, modern application stacks, CI/CD platforms, containerized workloads, and infrastructure as code implementations.
• Experience working in a consulting or professional services environment, managing clients and engagements.
• Strong reporting, documentation, and presentation skills.
• Proven ability to work in global and cross-cultural environments.
• Willingness and flexibility to travel across the MENA region, as required.
• Relevant certifications such as OSCP, OSEP, OSCE, CRTO, GWAPT, GPEN, or equivalent.

Experience in:

• Advanced red teaming and purple teaming engagements
• API security and cloud offensive security
• AI/LLM application security testing
• DevSecOps and CI/CD pipeline security
• Container and Kubernetes security

Exposure to:

• BAS tools and attack simulation platforms
• EDR/XDR validation and detection engineering
• Regulatory and industry frameworks relevant to MENA

What We Look For

We are looking for individuals who bring:

• A growth mindset and passion for offensive security
• The ability to balance deep technical expertise with business acumen
• Strong client-centricity and relationship-building capability
• A collaborative approach to problem-solving and innovation
• A commitment to quality, integrity, and continuous improvement