About the role
We're looking for an ambitious security engineer at Pratilipi; a generalist role embedded in a high-growth product company — spanning AppSec, cloud, detection, and compliance. You'll go from reading PRs to managing WAF rules to running internal CTFs.
What you'll do
- Conduct application security assessments - VAPT, secure code reviews, and manual testing across web, mobile (Android/iOS), and API surfaces; triage scan findings and drive remediation with engineering teams.
- Embed security into the SDLC through threat modeling, design reviews, and CI/CD security tooling - be in the PRs and architecture discussions
- Participate in structured incident and vulnerability response - detection, triage, containment, post-mortems, and bug bounty submissions
- Contribute to data security initiatives - PII discovery and classification, data flow mapping, access controls, and privacy-by-design reviews for new product features
- Assess risks in internal AI tool usage, LLM-integrated pipelines, and AI-generated code patterns entering production
- Build and maintain detection coverage across logging sources with a target of zero blind spots on critical assets
- Monitor cloud security posture across AWS and GCP - IAM hygiene, misconfiguration detection, and infrastructure findings using custom and native cloud tooling
- Manage Cloudflare security configurations - WAF rules, rate limiting, Bot Management, and DNS hygiene - targeting near-100% detection and block rates for attacks, bots and crawlers
- Support ISO/IEC 27001 and other compliance operations - evidence gathering, control owner tracking, user access reviews, policy maintenance, mitigating identified risks
- Build and maintain internal security tooling and automation to improve team efficiency and detection coverage
- Run security awareness initiatives - awareness campaigns, internal training, deploying CTF challenges tailored to the Pratilipi ecosystem
What we are looking for
- 1-3 years in a security role - breadth across AppSec, penetration testing, cloud security, threat intelligence or GRC matters as much as depth in any one area. You will start by contributing across domains and, over time, own one or two areas end-to-end
- Demonstrated offensive security curiosity - CTF winners, bug bounty leaderboards, CVE discoveries or audits, or published security research is a strong differentiator
- Solid understanding of common web, API, and mobile vulnerability classes - injection, auth flaws, broken access control, supply chain risks and secure coding principles
- Ability to read and review application code in Golang, Python, Java and JavaScript/Node.js for security issues - not just run scanners
- Working knowledge of Cloud Security (AWS preferred) - IAM, Firewall, Container, IaC,Runtime Security, OS, VPC, Networking - WAF and SaaS tools
- Willing to be the first responder on any security question - whether it's a developer asking about a secure implementation pattern, an employee reporting a phishing email, or a compliance query from leadership. You won't always have the answer, but you should have the instinct to dig in rather than deflect
- Able to explain a critical risk to an engineer, articulate its business impact to a non-technical stakeholder, assess risk beyond just CVSS scores, understand compliance implications of security decisions, and make reasonable trade-offs between security ideal and business
Security & Data Handling
All employees are expected to handle sensitive data responsibly in compliance with the DPDP Act, ISO-27001:2022, and Pratilipi's internal security policies — ensuring data privacy, confidentiality, and NDA obligations at all times.
