Ryt Bank Hiring! Full Time VAPT Engineer in Federal Territory - Ricebowl

About the Team

We're building the next generation of digital banking infrastructure that combines enterprise-grade reliability with startup agility.

Our Cyber Security team is the backbone of our technology organisation, ensuring that innovation and trust go hand in hand as we scale Malaysia's first AI-powered digital bank.

You'll collaborate with some of the sharpest minds in the industry, operating in a supportive and dynamic environment that fosters creativity, exploration, and innovation.

Your next thrilling adventure starts here. Be part of shaping the future of digital banking today!

About the Role

VAPT Engineers sit within the 2nd-line CISO organisation at Ryt Bank, providing independent penetration testing and vulnerability assessment capability that is structurally separate from the 1st-line security function.

This role is for security professionals who are genuinely passionate about offensive security — finding vulnerabilities before adversaries do and helping Ryt Bank understand its real attack surface as an AI-powered digital bank.

What You'll Do

PENETRATION TESTING & VAPT

• Plan and execute quarterly vulnerability assessments across the bank's full infrastructure, applications, and API surface. Sr VAPT Engineers own and lead the programme; VAPT Engineers execute assessments and triage findings.
• Coordinate the annual intelligence-led penetration test covering internal network, external perimeter, applications, and APIs. Sr VAPT Engineers scope, manage, and validate; VAPT Engineers support execution.
• Lead the bank's triennial red team simulation — intelligence-led, adversary-simulated exercises targeting critical banking systems. Sr VAPT Engineers lead; VAPT Engineers participate and develop skills.
• Manage the external penetration testing firm relationship — scoping, reviewing methodologies, validating findings, and ensuring remediation is tracked. Led by Sr VAPT Engineers.

AI RED TEAM

• Own the bank's AI red-team programme, testing the bank’s adopted large language models, RAG pipelines, MCP-connected agents, and agentic workflows.
• Apply MITRE ATLAS (v5.4.0) techniques to simulate AI-targeted attacks: model API reconnaissance, training data poisoning, model evasion, prompt injection, indirect prompt injection via RAG documents, and confused-deputy attacks in agent-to-agent workflows.
• Test against OWASP Mobile, API, Web and LLM Top 10 (2025 edition) — covering prompt injection, sensitive information disclosure, excessive agency, system prompt leakage, vector and embedding weaknesses, and AI supply chain risks.
• Use AI red-team tooling to run systematic adversarial evaluations of the bank's AI systems. Sr VAPT Engineers own the programme; VAPT Engineers execute specific test scenarios.
• Produce AI security findings reports and coordinate remediation with the Lead, Security Engineering.

REMEDIATION & REPORTING

• Run purple team exercises in collaboration with the Lead, Cyber Operations — testing detection coverage, validating SIEM rules, and improving SOC response playbooks.
• Produce clear, actionable pentest and AI red-team reports for technical and non-technical audiences — including executive summaries for the CISO and board.
• Track all findings to remediation within agreed SLAs; escalate unresolved critical findings through the CISO.
• Provide technical security consultancy to engineering teams on high-risk features, novel architectures, and AI system deployments.

What We're Seeking

EXPERIENCE

• 3–7 years in penetration testing, red teaming, or offensive security roles with demonstrated independent delivery.
• Proven experience scoping, leading, and reporting on mobile and web applications, API, network, and cloud penetration tests.
• Hands-on experience with mobile, API and web application penetration testing
• Deep familiarity with AI penetration testing and tooling — testing LLMs, RAG systems, or agentic AI architectures is a strong differentiator.
• Deep familiarity with MITRE ATLAS and OWASP Mobile, Web, API and LLM Top 10 attack frameworks.
• Experience managing external pentest vendors.
• Experience in regulated environments (banking, fintech, insurance, critical infrastructure) preferred.

SKILLS

• Proficiency with offensive security tools — Burp Suite, Metasploit, Nmap, and custom scripting.
• Sr VAPT Engineers: proficiency with AI vulnerability testing tools (PyRIT, garak, Promptfoo) and ability to produce board-ready findings reports.
• VAPT Engineers: growing proficiency across offensive tools and methodologies.
• Ability to communicate findings clearly to technical and non-technical audiences.
• Understanding how to scope and execute adversarial exercises safely in a live banking environment.

PREFERRED CERTIFICATIONS

• OSCP, OSCP+ OSEP, CREST CPSA or CRT (Sr VAPT Engineers); OSCP in progress (VAPT Engineers).
• GIAC GPEN, GWAPT, or GXPN.
• CompTIA PenTest+.

What We Value

• Revolutionary in our thinking.
• Innovative in our products, services and the way we work.
• Genuine in our intentions.
• Honourable in our actions.
• Tenacious in overcoming challenge.