Cyber Security Specialist

About the job

Security Engineer (Generalist) Diigoo TechLocation: Hyderabad (Madhapur) On-siteType: Full-time, starting with a 4-month provisional periodReporting to: Founders / Senior Engineering What this role actually isWe're a startup, so we're not hiring a security architect, a pentester, and an analyst as three separate people. We're hiring three security engineers who can each do all of it.Every person we bring on owns the full picture - architecture, engineering, testing, analysis, incident response, and compliance. One week you're designing how a system should be secured, the next you're breaking it to prove it isn't, and the week after you're analysing logs to catch what got through. No "that's not my job" - here, all of it is your job. If you've ever opened DevTools and wondered why a website lets you do something it shouldn't, you already have the mindset. The rest is craft - and we'll sharpen it together.The attack surface is genuinely wide: enterprise platforms, cloud-hosted SaaS, on-prem deployments, and blockchain infrastructure - some of it shipping to government bodies and international clients. Roles and responsibilitiesYou'll own all of the following. Not a slice - the whole thing.Security architectureDesign secure-by-default systems across our web apps, APIs, cloud, and blockchain stack. Threat modelling, defining trust boundaries, and building defence-in-depth into the design before code is written.Security engineeringHarden our AWS and GCP environments - IAM, network policies, secrets management, and audit trails. Build and maintain the controls, not just recommend them.Offensive testingRun vulnerability assessments and pentests on our web apps and APIs. The OWASP Top 10 is your warm-up. Find the holes before anyone else does.Security analysis and monitoringSet up and run SIEM, intrusion detection, and incident-response playbooks. Read the logs, spot the anomaly, and lead the response when something fires. Take on-call once you're ready.Blockchain securityReview smart contracts and consortium-chain configs (Solidity, Rust, validator security) for re-entrancy, oracle attacks, and validator compromise.Compliance and auditDrive our posture across DPDP Act 2023, ISO 27001 readiness, SOC 2 prep, and government-grade audits.Code review and security cultureSit in on code reviews and catch security mistakes before they ship. Run internal phishing simulations and security training. Yes, that includes the founders. Must-haves (non-negotiable on day one)These are the things we genuinely cannot train around. You need them walking in. Core fundamentals - TCP/IP, TLS, DNS, HTTP, Linux, and a scripting language (Python or Bash). Not surface-level - you can actually reason about how these work.Hands-on offensive basics - real, demonstrable experience with the classic web vulnerabilities: SQLi, XSS, SSRF, IDOR, broken auth. Projects, CTFs, or TryHackMe / HackTheBox all count.Tooling - you've used Burp Suite, Nmap, Metasploit, or Wireshark properly - not just watched a tutorial.Cryptography basics - hashing, symmetric vs asymmetric encryption, signatures, and certificates.Cloud literacy - you understand how a cloud environment (AWS or GCP) is structured and where it breaks - IAM, networking, secrets, logging.Reporting - you can write a vulnerability report an engineer can reproduce and fix without a follow-up meeting.Generalist mindset - you're comfortable being a one-person security team for whatever the day demands, and learning whatever you don't yet know - fast.Education - final-year or recent graduate in B.Tech / M.Tech (CSE / IT / Cybersecurity) or equivalent. Strong self-taught candidates with proof of work are equally welcome. We don't expect mastery of every discipline on day one. We do expect real depth in the fundamentals and the range and hunger to close the rest quickly. Nice-to-haves (these move you to the front of the queue) Smart-contract auditing experience or knowledge of blockchain-specific attacks (re-entrancy, oracle attacks, validator compromise).Hands-on with cloud security tools - AWS Inspector, GuardDuty, Wiz, or Prisma.Certs in hand or in progress - CEH, Security+, eJPT, or OSCP.A HackerOne or Bugcrowd profile, even with a single accepted report.Open-source contributions to security tools, or published CTF write-ups.Exposure to compliance frameworks (ISO 27001, SOC 2, DPDP) in a real setting.