About GreyLabs AI

GreyLabs AI is building the voice operating system for India's BFSI. Our Agentic Voice AI platform helps banks, insurers, NBFCs, and fintechs automate and humanise millions of customer conversations - across sales, collections, customer service, and compliance - in multiple Indian languages.

In under two years, we've scaled to 50+ enterprise clients, including RBL Bank, AU Small Finance Bank, IDFC FIRST Bank, SBI Life, ICICI Prudential Life, Motilal Oswal - processing hundreds of millions of conversations. We raised ₹85 Crores in Series A funding led by Elevation Capital with Z47, and were recognised for "Best Use of AI in Fintech" at IFTA 2025.

The Role

This is a IC role on the Information Security team. You will own the application security and VAPT programs, run point on external threat intelligence, and partner with engineering to bake security into the product before it ships. You will also carry the GRC charter - ISO 27001, SOC 2 Type 2, vendor risk, client audits - because at our stage and in BFSI, product security and compliance are the same job.

When a BFSI customer's CISO raises a concern in a security review, you are the person who answers it. When a vulnerability is reported - internally, by a pentester, or via threat intel - you are the person who validates it, drives it to closure, and closes the gap so the same class of issue doesn't recur.

What You'll Do

Application & Product Security

• Own the AppSec program end-to-end - SAST, DAST, SCA, secrets scanning, dependency hygiene - and triage findings with engineering rather than throwing tickets over the wall

• Embed in design reviews and threat-model new features before they ship; push back on insecure designs with a concrete alternative, not just a flag

• Drive secure SDLC practices - code review standards, pre-commit checks, build-time gates - and measure adoption, not just rollout

• Partner with platform and product engineering to harden authentication, authorization, tenant isolation, and data handling across the Voice AI stack

Vulnerability Management & VAPT

• Coordinate internal and third-party VAPT across application, infrastructure, and cloud surfaces; review findings critically and reject noise

• Own the vulnerability lifecycle - discovery, prioritisation, remediation tracking, retest, closure - with SLAs that are actually met

• Validate fixes yourself where possible rather than relying on the engineer's word; track recurrence patterns and feed them back into AppSec controls

• Manage patch cadence and emergency response for zero-days with awareness of business and customer impact

External Threat Intelligence

• Monitor the external threat landscape relevant to BFSI SaaS and Voice AI - exposed assets, leaked credentials, brand abuse, dark-web chatter, sector-specific TTPs

• Operate attack surface monitoring and translate findings into concrete control changes, not just dashboards

• Track threat actors and campaigns targeting Indian BFSI; brief engineering and leadership on what matters and what to ignore

Governance, Risk & Compliance

• Own ISO 27001:2022 and SOC 2 Type 2 cycles end-to-end - scoping, evidence collection, auditor management, remediation, recertification

• Run vendor risk assessments, third-party reviews, and onboarding due diligence with a real risk lens, not a checklist mentality

• Maintain policies, risk register, control catalog, and audit evidence repositories - kept current, not refreshed the week before an audit

• Lead client security reviews for BFSI customers and regulatory assessments; own the response narrative

• Run security awareness and compliance training, and measure whether behaviour actually changes

What We're Looking For

• 4–6 years of experience across AppSec, VAPT, and GRC, with at least one cycle owned end-to-end in each

• Hands-on with AppSec tooling - SAST, DAST, SCA, secrets scanning - and able to evaluate which findings are real and which are noise

• Has run or significantly owned a VAPT program: scoping engagements, reviewing reports critically, driving remediation, not just filing them

• Working knowledge of ISO 27001:2022 and SOC 2 Type 2 from the practitioner side - has been in the room with an auditor, not just read about it

• Familiarity with the regulatory environment for Indian BFSI - RBI, IRDAI, DPDP - and how those map to engineering controls

• Can read application code (Python, Go, or Node) well enough to validate a finding, write a reproducer, or suggest a fix

• Understanding of cloud security on AWS or GCP - IAM, network isolation, encryption, audit logging - at the depth needed to challenge an architecture, not just review it

• Has handled BFSI or enterprise client security questionnaires and reviews directly, and can hold the line under pressure without becoming an obstacle

Strong Signals

Not checkboxes. Signals that tell us you're the right person.

• You've found a real vulnerability in your own product before a pentester or customer did, and can walk through how you found it and what you changed structurally so the next one is caught earlier

• You've run a SOC 2 Type 2 cycle from scoping to report and can describe exactly what your auditor pushed back on and how you closed it

• You've threat-modelled a feature pre-launch and the model caught something the design review missed

• Your external threat intelligence work has resulted in a control change or product fix, not just a report nobody reads

• You've sat across from a BFSI customer's CISO team on a security review and gotten to "yes" on a non-trivial concern without compromising on the underlying control

• You've owned a vulnerability that crossed AppSec, infra, and process - and the postmortem produced fixes in all three

Why GreyLabs AI

• A hard problem in a regulated market. Securing low-latency, multilingual Voice AI for banks and insurers - under RBI and IRDAI compliance and against the security expectations of India's largest financial institutions - is consequential work with real customer pressure.

• Real scale, real adversary surface. The volume of conversations we process and the sensitivity of the data we handle make security a load-bearing function, not a checkbox.

• Scope to shape the program. At our current stage, security architecture and process decisions move quickly from design to production. You will define how product security is done here, not inherit a status quo.

• Strong backing, proven team. Elevation Capital and Z47 are long-term partners invested in our vision. Our founders built and exited Cogno AI - they understand what it takes to build AI companies that earn enterprise trust.