Senior / Lead Security Engineer – Red Team & Offensive Security (IGT1 Lanka: Sitecore)

Company Description

About IGT1 Lanka

IGT1 Lanka is a rapidly growing offshore technology and talent solutions company based in Port City Colombo. We are a fully owned subsidiary of IGT I Holdings Sweden AB, funded by the three of world’s leading private equity firms; EQT Group, Hg, and TA Associates. We’re also proud to be a sister company of IFS, Sri Lanka’s largest and most established technology company.

At IGT1 Lanka, we partner with global businesses to scale operations, accelerate innovation, and build world-class SaaS platforms through high-quality offshore delivery. Our people-first culture champions diversity, teamwork, and continuous learning, creating an environment where talent thrives.

With a team of over 300 professionals and counting, we are always looking for passionate, skilled individuals who want to make a global impact while being part of something extraordinary.

Through our offshore collaboration model, you'll be embedded within the team of one of our esteemed international clients, contributing directly to high-impact, enterprise-level initiatives.

About the client: Sitecore

Sitecore delivers a composable digital experience platform that empowers the world’s smartest and largest brands to build lifelong relationships with their customers. A highly decorated industry leader, Sitecore is the leading company bringing together content, commerce, and data into one connected platform that delivers millions of digital experiences every day. Thousands of blue-chip companies including American Express, Porsche, Starbucks, L’Oréal, and Volvo Cars rely on Sitecore to provide more engaging, personalized experiences for their customers.

Job Description

About the role:

Sitecore is seeking a proactive and technically skilled Security Engineer with a focus on Red Team and offensive security operations. This role will support security testing and hardening efforts across Sitecore’s cloud-native and SaaS products by leading and managing penetration testing, vulnerability management, bug bounty coordination, and code security initiatives.

The engineer will work closely with product engineering teams, security stakeholders, and external partners to identify, assess, and drive the remediation of vulnerabilities. The ideal candidate should be deeply familiar with threat actors, modern attack vectors, and best practices for secure application and infrastructure design.
 

Key Responsibilities

Penetration Testing & Red Team Operations

• Own and manage the penetration testing calendar across products and infrastructure.
• Coordinate with external partners for scheduled and ad-hoc security testing.
• Analyze and triage findings, produce detailed test reports, and follow up on remediation efforts.

Vulnerability Management (Wiz)

• Perform regular scanning and analysis using Wiz for cloud and infrastructure vulnerabilities.
• Prioritize findings based on risk, exploitability, and business impact.
• Track and report on remediation progress across teams and ensure compliance with internal SLAs.
• Ensure that the configuration is up to date and deploy integrations to facilitate seamless scanning across Sitecore’s environment.

Code Security (Wiz Code)

• Work with development teams to integrate secure coding practices and manage static analysis via Wiz Code.
• Review and triage security findings in application code, guiding engineering teams on remediations.

Bug Bounty Program (HackerOne)

• Coordinate Sitecore’s Bug Bounty Program with HackerOne, reviewing reports, validating findings, and managing triage workflows.
• Collaborate with researchers and internal stakeholders to assess and resolve reported vulnerabilities.
• Ongoing enhancement and expansion of our Bug bounty program in alignment with Sitecore’s strategic priorities.

Attack Surface Management

• Continuously monitor Sitecore’s external and internal attack surface.
• Proactively identify exposed assets, misconfigurations, or gaps that may lead to exploitation.

Threat Intelligence & Security Research

• Stay current with evolving threat landscapes, vulnerabilities (CVEs), and TTPs (Tactics, Techniques, and Procedures).
• Share intelligence and recommendations with internal teams to strengthen defenses and design.

Cross-Team Collaboration & Reporting

• Work closely with Engineering, Cloud, and Product Security teams to share findings, improve visibility, and reduce exposure.
• Maintain detailed documentation, dashboards, and status reports on open vulnerabilities, tracking remediation timelines and SLAs.

Qualifications

Preferred Skills and Experience: 

• 3–6 years of experience in application security, penetration testing, or red team operations.
• Hands-on experience with tools like Wiz, Wiz Code, Burp Suite, Metasploit, and scripting for automation.
• Familiarity with OWASP Top 10, cloud-native security (Azure, AWS), and container security best practices.
• Strong understanding of vulnerability management lifecycle, secure SDLC, and offensive security techniques.
• Experience managing or participating in bug bounty programs is a strong plus.
• Security certifications such as OSCP, GPEN, OSCE, CRTOP, GRT, CRTA, RTO are a plus.
• Excellent written and verbal communication skills with the ability to present technical concepts to non-technical audiences.

Work Conditions:

• Working hours aligned to U.S. Central or Eastern time zones.
• Occasional after-hours availability may be required for coordinating tests or responding to time-sensitive findings.
• Requires close collaboration with globally distributed engineering and security teams.