Information Security Engineer (Appsec)

Requirements

• 3+ years of hands-on experience in application security, penetration testing, or a related security engineering role
• A solid understanding of common web, mobile, and API vulnerabilities (e.g., OWASP Top 10, CWE) and practical approaches to identify and remediate them
• Experience conducting code reviews, design reviews, and threat modelling for modern application architectures
• Familiarity with DevSecOps practices and integrating security tooling into CI/CD pipelines
• Working knowledge of authentication, authorisation, session management, and cryptographic best practices
• Proficiency with security tools, such as Burp Suite, MobSF, Frida, or custom scripts, for dynamic and static analysis
• A basic understanding of cloud security principles and experience working with GCP or AWS environments
• Great communication skills with the ability to collaborate effectively with Engineering, Product, and DevOps teams
• A proactive mindset with a passion for solving complex problems and driving secure engineering practices
• The ability to work independently while also being a trusted team player in a fast-paced environment

Nice to have

• Experience participating in Red Team exercises, managing bug bounty programmes, or contributing to open-source security tools or research

What you'll be doing

• Performing security assessments on product designs, mobile apps (iOS/Android), web applications, and APIs
• Participating in Red Team missions and threat-led testing scenarios to simulate real-world attacker behaviours and validate detection and response capabilities
• Leading and conducting penetration testing across applications, infrastructure, and APIs, using a mix of manual techniques and automated tools
• Managing and evolving our private bug bounty programme, validating submissions, collaborating with researchers, and ensuring timely resolution of valid findings
• Contributing to and influencing cloud security posture, identifying misconfigurations and working with DevOps to implement best practices across GCP and AWS
• Partnering closely with engineering teams to embed security into the software development lifecycle, offering guidance on secure architecture and threat modelling
• Developing and enforcing internal AppSec standards, policies, and practices aligned with OWASP, NIST, and industry benchmarks
• Continuously researching and evaluating emerging threats, tools, and technologies to stay ahead of the evolving threat landscape
• Contributing to internal security training sessions, knowledge sharing, and mentoring of junior team members