Cloud Security Test Manager
Description
Enphase Energy is a global energy technology company and a leading provider of solar, battery, and electric vehicle charging products. Founded in 2006, our innovative microinverter technology revolutionized solar power, making it a safer, more reliable, and scalable energy source. Today, the Enphase Energy System enables users to make, use, save, and sell their own power. Enphase is also one of the most successful and innovative clean energy companies in the world, with more than 80 million products shipped across 160 countries.
Join our dynamic teams designing and developing next-gen energy technologies and help drive a sustainable future!
This role at Enphase requires working onsite 3 days a week, with plans to transition back to a full 5 day in office schedule over time.
About the role:
As the Cloud Security Test Manager, you will lead the offensive security function protecting Enphase’s cloud platform, including Enlighten, Enphase App, and device APIs that connect over 4M homes globally.
In this role, you will build and lead the security testing program across SAST, DAST, penetration testing, threat modeling, and red-team operations. You will manage a team of testers while staying hands-on to guide exploitation strategies and validate findings, partnering closely with the CISO’s office to manage the vulnerability lifecycle end to end.
What you will be doing:
- Build and lead the application and cloud security testing roadmap and team
- Integrate SAST, DAST, SCA, and secrets scanning into CI/CD pipelines (Jenkins, GitLab, GitHub Actions); tune rules, triage results, and manage false positives to drive shift-left adoption
- Conduct and oversee manual penetration testing of web apps, REST/GraphQL APIs, microservices, and cloud platforms against OWASP Top 10 and API Top 10
- Plan and run red-team and purple-team exercises mapped to MITRE ATT&CK — initial access, exploitation, post-exploitation, lateral movement, and detection validation with the SOC
- Lead threat modeling (STRIDE/PASTA) for new services and architecture reviews, defining attack surfaces, trust boundaries, and security requirements
- Own end-to-end vulnerability lifecycle management — risk-based prioritization, remediation tracking, SLAs, and metrics — from identification through verified closure
- Collaborate closely with the CISO’s office to report risks, KPIs, and remediation SLAs
- Define and enforce security standards and best practices across cloud environments
- Perform container, Kubernetes, and cloud-native security testing across multi-cloud (AWS/GCP/Azure) environments
- Develop custom exploits, payloads, and automation to validate exploitability and reduce false positives
What you bring:
- BE/BTech/MS/MTech in Computer Science, Electrical Engineering, or a related field.
- A minimum of 10+ years of experience in application/cloud security testing, with
- 5+ years leading security or red-team functions
- Strong experience with SAST, DAST, and SCA tooling, CI/CD integration, rule tuning, and triage at scale
- Hands-on manual penetration testing of web apps, APIs, microservices, and cloud environments, with exploit/PoC development
- Expertise in threat modeling frameworks (STRIDE, PASTA) and attack surface analysis
- Strong experience in red-team operations, adversary emulation (MITRE ATT&CK), C2 frameworks, and purple-team collaboration
- Deep understanding of cloud security across AWS/GCP/Azure — IAM and identity, network controls, container/Kubernetes (RBAC, escapes), serverless, and secrets management
- Knowledge of OWASP Top 10 / API Top 10 and CVE disclosure processes
- Familiarity with security standards such as IEC 62443, EU Cyber Resilience Act, SOC 2, ISO 27001
- Excellent leadership, communication, and stakeholder management skills
- Proficiency in scripting (Python, Bash) for security automation and custom tooling
Nice to have:
- Experience in exploit development and custom security tooling
- Understanding of IoT to cloud security and trust boundaries
- Experience building DevSecOps culture and secure SDLC practices
- Relevant certifications such as OSCP, OSCE, GWAPT, or CCSP
What we offer:
- Competitive compensation and comprehensive employee benefits
- Opportunity to lead security for large-scale global cloud platforms
- Exposure to cutting-edge cybersecurity and cloud technologies
- Collaborative and innovation-driven work environment
- Career growth and leadership opportunities