At Engine by Starling, we are on a mission to find and work with leading banks all around the world who have the ambition to build rapid growth businesses, on our technology.
Engine is Starling’s software-as-a-service (SaaS) business, the technology that was built to power Starling Bank, and a year ago we split out as a separate business.
Starling Bank has seen exceptional growth and success, and a large part of that is down to the fact that we have built our own modern technology from the ground up. This SaaS technology platform is now available to banks and financial institutions all around the world, enabling them to benefit from the innovative digital features, and efficient back‑office processes that has helped achieve Starling’s success.
Hybrid Working
We have a Hybrid approach to working here at Engine – our preference is that you’re located within a commutable distance of one of our offices so that we’re able to interact and collaborate in person.
About the Role
We are looking for an experienced Penetration Tester who can bridge the gap between deep technical exploitation and real‑world business risk. This isn’t just about running scanners and handing over a PDF; it’s about adversarial empathy, understanding how our systems and services work so you can show us how they may be compromised.
While you will sit within the Information Security team, you won’t be siloed; you will be “dropped in” to test across various business domains, working side‑by‑side with Infrastructure Engineers and Software Developers and in collaboration with all parts of the Information Security Team. Your approach is to move beyond finding ‘bugs’ to helping out teams build inherently resilient systems.
As an early member of our internal Pentesting capability, you won’t just follow a manual, you will help write it.
Responsibilities
- Collaborating with your peers to design a continuous testing framework that evolves with our tech stack.
- Sharing knowledge with the wider technical faculty to elevate our collective security posture.
- End‑to‑End Assessments: Conducting penetration tests on our core banking platform, focusing on Cloud and Application Security.
- Code Review: Performing manual secure code reviews to identify logic flaws and security anti‑patterns.
- Threat Modelling: Participate in sessions with different teams to identify design flaws before code is written.
- Risk Contextualisation: Contextualising technical vulnerabilities into “Real‑World Risk” scenarios to demonstrate business impact to non‑technical executives and within Engine’s risk management framework.
- Cloud Security: Collaborating with Infrastructure teams to audit and secure cloud configurations.
- Autonomous Execution: Acting as an independent operator within the team, managing your own testing scope and timelines across different business domains.
- Remediation: Providing clear, actionable remediation advice that balances security requirements with engineering velocity.
- Strategic Reporting: Translate complex technical exploits into actionable business risk summaries for non‑technical stakeholders and executive leadership.
Additionally, we understand the importance of knowledge and expertise remaining current and you shall support the continued advancement of our penetration testing through research, design and implementation of new solutions, including automation.
We’re open-minded when it comes to hiring and we care more about aptitude and attitude than specific experience or qualifications.
Technical Skills
Ideally, we would like:
- Experience: 5+ years experience in penetration testing with a focus on cloud native infrastructure, web applications, APIs.
- Tooling: Expert‑level proficiency with industry‑standard tools and the ability to “go manual” when scanners fail.
- Cloud Native: Experience with Cloud Security, (AWS/GCP) specifically AWS/EKS.
- Code Fluency: Ability to conduct code reviews in multiple languages, primarily Java and Go.
- Mobile: Experience testing Mobile Applications (iOS and Android).
- SDLC: You have a working understanding of how software is architected, built and deployed.
- Scripting: You have the ability to write your own scripts and tooling to aid in pentesting and improve efficiency. Golang, Python etc.
Soft Skills
- Communication: Exceptional written and spoken communication skills: the ability to communicate complex technical issues to engineers and business risk to executives.
- Proactivity: A self‑starting nature. You don’t wait for a ticket to find a vulnerability. Got downtime? You’re digging into codebases, closing off retesting items and generally getting it done.
- Independence: Ability to work independently while remaining a collaborative partner to the wider engineering team.
- Adaptability: Engine is evolving. You are able to evolve and develop as our requirements shift over time.
Nice to have
- Infrastructure as Code (IaC): Experience auditing Terraform or CloudFormation templates.
- DevSecOps: Familiarity with integrating security tooling (DAST/SAST) into CI/CD pipelines.
#J-18808-Ljbffr…