Vulnerability Analyst / Penetration Tester

Own the end-to-end vulnerability management lifecycle across infrastructure, endpoints, and cloud. Coordinate remediation with IT / GRC, govern penetration testing (internal and third-party), and continuously reduce exploitable attack surface without disrupting delivery.

• Discovery & Coverage : Maintain a complete, tagged asset inventory (servers, endpoints, network devices, cloud workloads, containers / k8s, SaaS). Ensure authenticated scans wherever feasible.
• Scanning & Tuning : Operate and tune vuln tooling (ManageEngine / Tenable / Qualys or similar). Integrate credential vaults, schedule scans by asset criticality, minimize scan impact on production.
• Risk-Based Prioritization : Triage with CVSS v3.1 + EPSS + KEV + exploit availability, internet exposure, and asset criticality. Escalate rapidly for external-facing criticals.
• Remediation & Change : Raise / track tickets in ITSM, align with patch / change windows, provide compensating controls when patching is not immediately possible.
• Validation & Retest : Re-scan and perform targeted verification (safe exploit / POC where appropriate). Close findings only on evidence-backed remediation.
• Exceptions & GRC : Document time-bound risk acceptances with business owners, map controls to NIST / CIS / ISO 27001 and relevant local regs, keep the exception register current.
• Reporting & Dashboards : Weekly ops reports, monthly exec dashboards (exposure by BU / technology, SLA compliance, trends, risk burndown, top KEV exposure).

• Own external perimeter monitoring (DNS, certificates, open ports, cloud object exposure, shadow IT). Drive takedown / closure of risky services and stale assets. Track “time-to-close” for external criticals.

• Plan & Scope : Build the annual PT calendar (external, internal, cloud, wireless, AD, selected apps) with clear Rules of Engagemen, success criteria, data handling, and rollback plans. Choose testing modality by risk and objective : Black-box, Gray-box, and White-box.
• Execute / Coordinate : Perform targeted tests in-house and manage third-party engagements. Ensure evidence, reproducibility, and clear remediation guidance.
• Standards & Methods : Apply NIST SP 800-115, PTES, OWASP Testing Guide / ASVS (with AppSec), and map to MITRE ATT&CK for detection-engineering feedback.
• Enterprise Network & Firewall - Aware Testing : Evaluate controls across NGFW / WAF / IDS / IPS, VPNs, segmentation (VLAN / VRF), egress filtering, DNS / security filtering, NAT, and cloud security groups / NACLs. Validate rulebase hygiene (shadowed rules, any-any, unused / overly permissive objects), attack surface exposure, and bypass paths, provide concrete policy / hardening recommendations.

• Assess cloud (PaaS and SaaS Applications) configurations against CIS Benchmarks and native CSPM findings, integrate container / IaC scanning for infra drift, coordinate with DevSecOps for pipeline gates.

• Enrich SIEM / XDR with vulnerability context for risk-weighted alerting. Partner with SOC to validate exploitability and to prioritize hardening based on active threats.

• Experience : 5+ years in Vulnerability Management and Penetration Testing across enterprise environments (on-prem + cloud).
• Tooling : Admin-level hands-on with ManageEngine / Tenable / Qualys / SentinelOne (or similar), familiarity with EASM tools, practical use of EPSS, CISA KEV, SBOM / CVE workflows.
• Testing : Proficiency with common PT tooling (e.g., Burp Suite, Nmap, Responder, BloodHound, Impacket, Kali), safe exploitation, and evidence capture.
• Platforms : Strong Windows / Linux, AD, network fundamentals, cloud security (Azure / AWS / GCP), containers / k8s basics.
• Scripting / Automation : Python, PowerShell, or Bash for data wrangling and workflow automation.
• Frameworks : Working knowledge of NIST CSF / ISO 27001 / CIS Controls, OWASP Top 10, MITRE ATT&CK mapping.
• Soft Skills : Clear written reporting for exec and technical audiences, stakeholder management, ability to negotiate patch windows and drive closure.

• As an employee of IFZA, you can expect :
• 24 working days as annual leave
• Annual flight home
• Life insurance plan
• Medical insurance plan (with the option to upgrade at your own cost)
• Bonus scheme (in relevant departments)
• Access to exclusive Fazaa discounts (applicable in participating retail stores, food & beverage outlets, fitness clubs, cinemas, theme parks, clinics, and more)