Sr. Information Security Consultant

Position:
Sr. Information Security Consultant

Location:
Navi
Mumbai, India

Experience:
Minimum of 4 to 5 years (relevant to the position and job responsibility)

Company Profile:

Tinycrows Private Limited is a budding cybersecurity firm working with BFSI, fintech, and technology-driven enterprises dedicated to helping these businesses protect their digital assets and mitigate risks. At Tinycrows, we follow a 'shift left' cybersecurity approach to fortify the security of products. Our team of trusted professionals, with experience from top consulting firms like Microsoft and Deloitte, design robust security solutions for various industries. We have a proven track record of implementing cybersecurity best practices for startups and large organizations, ensuring digital assets remain secure in today's threat landscape.

Role Description

Tinycrows has designed this role for a highly motivated and technically adept individual with strong expertise in 
Web
 and 
Mobile (iOS/Android) Application Penetration Testing
. This role requires analysing, designing and implementing robust security to help the stakeholders maintain and strengthen their security posture. An ideal fit for this position is an individual who is passionate about offensive security, with a hands-on approach to identifying vulnerabilities, supporting secure development, and contributing to scalable AppSec initiatives. Exposure to 
Red Team operations
, 
Active Directory attack paths
, and
cloud environments
is a strong plus. The Consultant will work closely with clients to ensure the security of their digital assets.

Key Responsibilities

• Execute in-depth security assessments and 
  Manual penetration testing
   of web and mobile applications.
• Perform 
  secure code reviews
   to identify flaws across various tech stacks (e.g., JavaScript, Java/Kotlin, Swift, Python).
• Contribute to the 
  automation and enhancement of internal testing frameworks
  , reporting tools, and reusable AppSec methodologies.
• Leverage tools such as Burp Suite Pro, nmap, slmap, MobSF, Frida, Objection, Jadx, APKTool, and others as part of testing workflows.
• Collaborate cross-functionally with developers, DevOps, and product teams to embed security across the SDLC.
• Support and guidance to CISO, CIO and Product Team functions providing security reviews for prospective products and services.
• Transfer of residual risks to the business/customer as required by the Client's risk management framework.
• Collaboration with stakeholder and IT teams to support incident response and investigations using their knowledge of the technology systems sharing security insights.
• Seek out, build and maintain trusting relationships and partnerships with internal and external stakeholders in order to accomplish key business objectives, using influencing and negotiating skills to achieve outcomes.
• Support 
  Red Teaming engagements
  , including reconnaissance, initial access, and 
  Active Directory exploitation techniques
   (e.g., Kerberoasting, ACL abuse, lateral movement).
• Deliver detailed technical findings and clear, actionable remediation guidance to both technical and non-technical stakeholders.

Key Skills

• Practical experience in web and mobile application security testing, including real-world vulnerability exploitation and security implementation.
• Strong proficiency with offensive security tools such as Burp Suite Pro, nmap, sqlmap, MobSF, Frida, Objection, etc.
• Understanding of common vulnerabilities and standards (e.g., OWASP Top 10, CWE, MITRE ATT&CK).
• Basic experience with cloud security reviews, particularly for AWS, Azure, or GCP-hosted environments.
• Familiarity with secure development practices, modern CI/CD pipelines, and DevSecOps integration.
• Excellent verbal and written communication skills, with the ability to clearly explain technical findings to diverse audiences.
• Comfortable working independently in a fast-paced, highly technical environment.
• Excellent written and verbal communication skills along with the ability to work independently and remotely
• Current with the evolving threat landscape, emerging tools, and industry best practices in application security.

Preferred Qualifications

• Formal Cyber Security qualification e.g. Degree/Masters or a well-recognized certification.
• Exposure to 
  Red Teaming techniques
  , 
  Active Directory attack paths
  , and post-exploitation tooling (e.g., BloodHound, Rubeus, SharpHound).
• Experience developing custom scripts or automation tooling using 
  Python
  , 
  Bash
  , or 
  PowerShell
  .
• Familiarity with SAST/DAST tools and API security testing methodologies.

Preferred Certifications

• Industry certifications such as 
  OSCP
  , 
  OSEP
  , 
  CRTP, eMAPT
   are a strong plus

Perks of Joining Tinycrows

If you value growth, ownership, and learning over just stability and routine, a start-up can be the perfect place for you because at Tinycrows, we deal with real problems, fast pivots, and innovation — you learn by doing, not just following manuals and your work directly shapes the company's success and culture — you're not "just a cog in the wheel". You get exposure to latest technologies, regulatory frameworks, and client-facing challenges. You get more autonomy, creativity, and ownership of projects, apart for this you also get:

• Opportunity to be part of the core founding team and contribute to building security from the ground up.
• Close collaboration with founders and key stakeholders (CISOs, CTOs, engineering leaders) ensuring your work directly influences strategic decisions.
• Fast-paced, agile environment where innovation and curiosity are encouraged.
• End-to-end ownership of security assessments, tooling, and strategy.
• Steep learning curve with exposure to a wide variety of technologies and attack surfaces. Great opportunities to expand your role and accelerate your career path.
• Collaborative team culture with support for skill-building and certifications.

This role requires the individual to work at the client's site. Therefore, working days, hours and holidays will be defined by the client.