Manager, Web Application & Fraud Testing

The Manager – Web Application & Fraud Testing leads a specialized offensive security unit focused on application-layer security assessments and fraud attack simulations. Reporting to the Senior Manager of Offensive Security & Fraud Testing, this leader’s mission is to establish and mature Vanguard’s fraud testing program, proactively identifying real-world fraud scenarios and control gaps before they result in losses. The role blends deep red team/penetration testing expertise with fraud domain knowledge, using an adversarial mindset to simulate how fraudsters might exploit our web and digital channels. Through threat-led testing (not reactive or audit-driven), the Manager ensures findings drive detection improvements, control remediation, and reduced fraud risk exposure across the enterprise.

 

Key Responsibilities:

 

• Fraud Testing Program Leadership: Develop and champion the strategic vision for Vanguard’s fraud testing program, aligning it with industry frameworks (e.g., FS-ISAC Cyber Fraud Prevention Framework (CFPF), MITRE’s fraud tactics frameworks such as Fight Fraud (F3)) and firm-wide risk priorities. Define clear objectives and roadmaps for threat scenario development and testing campaigns that mirror real fraud actor behaviors. Ensure a threat-led, proactive approach – focusing on emergent fraud trends (account takeover, social engineering, identity fraud, payment fraud, etc.) – rather than reactive or compliance-only testing.

 

• Team Management & Development: Lead and mentor a team of ~4–8 Fraud Specialist Offensive Security Analysts dedicated to fraud-focused attack simulation and advanced web application testing. Set performance goals, manage staffing and skill development, and foster a culture of continuous learning and innovation. Guide the team in adopting new fraud TTPs (tactics, techniques, procedures) and tools (e.g., bot frameworks, scenario automation) to keep ahead of evolving fraud methods.

 

• Operational Oversight – Web App & Fraud Scenario Testing: Plan, scope, and oversee complex fraud testing engagements end-to-end. This includes ensuring critical customer-facing web and mobile applications undergo rigorous security testing for vulnerabilities (e.g. injection flaws, authentication weaknesses, session handling, API misconfigurations) as well as business logic abuse. Direct the design of realistic fraud scenarios – e.g., multi-step account takeover chains, transaction manipulation, synthetic identity usage – to stress-test fraud controls and processes. Maintain high ethical and operational standards in testing (legal, privacy, customer safety) while pushing the envelope to simulate advanced fraud threats.

 

• Stakeholder Collaboration & Purple Teaming: Serve as the primary liaison for fraud testing efforts across Fraud Operations, Fraud Intelligence, Detection Engineering, Cyber Defense (Blue Team), Application Security, and Business Product teams. Work closely with these stakeholders to identify high-risk fraud scenarios (leveraging fraud intel and actual incidents) and ensure test plans cover relevant attack vectors. Coordinate Purple Team exercises that bring together offensive fraud testers and defensive owners (e.g., monitoring & fraud analytics teams) to validate detection rules, alert triggers, and response plans in real-time scenarios.

 

• Risk Management & Outcome Integration: Translate test findings into risk insights: Oversee thorough documentation of vulnerabilities, control gaps, and fraud detection weaknesses discovered during testing. Ensure all findings are entered into risk management systems (e.g., risk registers) with appropriate severity and ownership. Work with partner teams to prioritize remediation and close gaps (including scheduling re-testing to validate fixes). Map findings to frameworks like CFPF to communicate which stages of the fraud kill-chain were exploited (Recon, Initial Access, Positioning, Execution, Monetization) and use that mapping to guide targeted control improvements.  

 

• Program Metrics & Continuous Improvement: Define key performance indicators for the fraud testing program (e.g., number of fraud scenarios tested, detection gaps identified and resolved, **“fraud saved” metrics from improved controls, stakeholder satisfaction). Regularly report on program progress to senior leadership, highlighting how fraud testing has strengthened defenses or uncovered risk. Continuously refine methodologies and tooling – for example, evaluate integrating AI tools or automation for large-scale credential stuffing simulations or anomaly detection. Stay current on emerging fraud threats (new scam methods, shifts in fraudster tactics) and adjust the program to anticipate these trends.

 

Required Qualifications:

 

• Offensive Security & Fraud Domain Expertise: 8+ years in cybersecurity, with significant experience in detection engineering, red teaming, or adversary simulation (preferably in financial services or similar). Understanding of fraud vectors (account takeover, social engineering, identity fraud, payments fraud, business logic abuse in applications) and how to simulate them. Strong familiarity with relevant frameworks and models (e.g., CFPF, MITRE ATT&CK; knowledge of MITRE’s emerging Fight Fraud Framework (F3) is a plus).

 

• Leadership & Program Management: Proven track record (3+ years) leading security teams or programs – e.g., managing a red team, threat simulation team, or similar function. Demonstrated ability to scale a program from concept to maturity: strategic planning, establishing processes, measuring impact with metrics, and iterating based on feedback. Exceptional organizational skills to handle multiple engagements in parallel and ensure quality deliverables on schedule.

 

• Technical Skills (Web & App Security): Strong understanding of web application security (OWASP Top 10, API security, authentication/authorization flows, etc.) and how these may be leveraged in fraud scenarios. Ability to effectively oversee technical testing and validate severity of findings. Comfort with scripting/automation (Python, etc.) to support or guide advanced testing techniques (e.g., automating large-scale credential stuffing tests). Familiarity with fraud tools and data (e.g., user behavior analytics, device fingerprinting, anti-fraud controls) is beneficial.

 

• Stakeholder Engagement & Communication: Excellent cross-functional communication skills. Experience collaborating with non-security teams (fraud/risk, business product owners, customer service, etc.) to drive change. Executive presence to articulate program value and risk insights to senior leadership in clear, business-relevant terms. A track record of building trust and strong partnerships – especially with fraud prevention or risk management teams – through transparency and delivering results.

 

• Education & Certifications: Bachelor’s degree in Cybersecurity, Computer Science, or related field (or equivalent experience). Graduate degree or specialized fraud training (e.g., Certified Fraud Examiner (CFE)) is a plus. Relevant technical certifications such as OSCP, CRTP/CRTE, CISSP, GIAC or similar demonstrate both offensive technical acumen and security management credibility.

Special Factors

Sponsorship

Vanguard is not offering visa sponsorship for this position.

About Vanguard

At Vanguard, we don't just have a mission—we're on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.