Cybersecurity Consultant/Senior Cybersecurity Consultant (Attack Simulation Grp)

You will be part of the Attack Simulation Group (ASG) within the Cyber Security Agency of Singapore (CSA), a specialist team responsible for delivering advanced security testing and adversary-led assessments to strengthen the resilience of Critical Information Infrastructure (CII). This is a senior, hands-on role for experienced offensive security practitioners who want to apply real-world attack techniques to complex, high-impact systems in support of Singapore’s national cyber security mission. The Team ASG is a technically driven team within CSA focused on realistic attack simulation, penetration testing, red teaming, and purple-teaming outcomes. Our work goes beyond compliance-driven assurance, emphasising hands-on testing, attacker tradecraft, and practical security improvements. Operating within the realities of government, we value curiosity, adaptability, and out-of-the-box thinking. Specialised training and development opportunities are provided to continuously deepen and expand our technical capabilities, and team members are expected to continuously learn, apply skills across domains, and contribute to the evolution of attack simulation practices across Singapore’s CII. We also believe in sharing and growing our craft where appropriate. Some of our public work and tooling can be found at: 👉 https://github.com/hack-techv2/

Responsibilities • Lead and conduct penetration testing, red teaming, and adversary simulation activities across web, mobile, infrastructure, cloud, OT, and telecommunications environments. • Execute realistic attack scenarios to assess the resilience of Critical Information Infrastructure (CII), including systems supporting essential services. • Support purple-teaming activities by translating offensive techniques into actionable detection and response improvements. • Lead engagements end-to-end, including planning, execution, reporting, and technical debriefs with stakeholders. • Mentor junior consultants and contribute to raising the team’s overall technical standard. • Drive continuous improvement of ASG’s testing methodologies, tooling, and research, including taking on problem spaces outside your primary domain when required. • And because this is government, be prepared to occasionally switch gears by contributing to strategic initiatives, supporting and executing procurement activities, participating in industry outreach, or undertaking coordination work, all of which ultimately help us strengthen security outcomes and make Singapore a safer place to live and work. Why Join ASG at CSA • Work on nationally significant systems, including CII, OT, and telecommunications environments rarely accessible outside government. • Engage in deep, technically challenging work that prioritises realism, learning, and security outcomes over high-volume testing. • Apply your offensive security expertise to a public mission that directly contributes to Singapore’s cyber resilience. • Be part of a specialist team that is deliberately building towards strong technical depth, continuous learning, and moving beyond compliance-driven assurance, and help shape what “good” looks like along the way.

Requirements • An attacker’s mindset with strong technical understanding of operating systems, networks, and modern enterprise environments. • Proven ability to identify and execute real-world attack scenarios, beyond automated or checklist-based testing. • Experience in penetration testing and/or red team operations, with exposure to adversary tradecraft and attack chaining. • Demonstrated adaptability to transfer skills across technical domains (e.g. web to mobile, IT to OT, on-prem to cloud). • Strong technical writing skills and the ability to clearly articulate security risks and impact. • Typically 5–8 years of relevant experience in penetration testing, red team operations, or related offensive security roles, with demonstrated depth in hands-on technical work. • Relevant industry certifications such as OSCP, CREST (e.g. CRT, CCT), CRTO, or equivalent are desirable. That said, we recognise that certifications alone do not define capability. Hands-on experience, problem-solving ability, and technical depth matter more to us than badges. If you share our passion to make a difference in the cyber security landscape, take up the challenge and apply now. All applicants will be notified on whether they are shortlisted or not within 4 weeks of the closing date of this job posting. For any issues with the application, you may drop your resume with us at csa_recruit@csa.gov.sg.