Penetration Tester - Engine by Starling

We are looking for an experienced Penetration Tester who can bridge the gap between deep technical exploitation and real-world business risk. This isn't just about running scanners and handing over a PDF; it's about adversarial empathy, understanding how our systems and services work so you can show us how they may be compromised.

While you will sit within the Information Security team, you won't be siloed; you will be "dropped in" to test across various business domains, working side-by-side with Infrastructure Engineers and Software Developers and in collaboration with all parts of the Information Security Team. Your approach is to move beyond finding 'bugs' to helping out teams build inherently resilient systems.

As an early member of our internal Pentesting capability, you won't just follow a manual, you will help write it. A key aspect of this role involves:

• Collaborating with your peers to design a continuous testing framework that evolves with our tech stack.
• Sharing knowledge with the wider technical faculty to elevate our collective security posture.

Additionally, we understand the importance of knowledge and expertise remaining current and you shall support the continued advancement of our penetration testing through research, design and implementation of new solutions, including automation.

Responsibilities:

• End-to-End Assessments: Conducting penetration tests on our core banking platform, focusing on Cloud and Application Security.
• Code Review: Performing manual secure code reviews to identify logic flaws and security anti-patterns.
• Threat Modelling: Participate in sessions with different teams to identify design flaws before code is written.
• Risk Contextualisation: Contextualising technical vulnerabilities into "Real-World Risk" scenarios to demonstrate business impact to non-technical executives and within Engine's risk management framework.
• Cloud Security: Collaborating with Infrastructure teams to audit and secure cloud configurations.
• Autonomous Execution: Acting as an independent operator within the team, managing your own testing scope and timelines across different business domains.
• Remediation: Providing clear, actionable remediation advice that balances security requirements with engineering velocity.
• Strategic Reporting: Translate complex technical exploits into actionable business risk summaries for non-technical stakeholders and executive leadership.

We're open-minded when it comes to hiring and we care more about aptitude and attitude than specific experience or qualifications.

Technical Skills

Ideally, we would like:

• Experience: 5+ years experience in penetration testing with a focus on cloud native infrastructure, web applications, APIs.
• Tooling: Expert-level proficiency with industry-standard tools and the ability to "go manual" when scanners fail.
• Cloud Native: Experience with Cloud Security, (AWS/GCP) specifically AWS/EKS.
• Code Fluency: Ability to conduct code reviews in multiple languages, primarily Java and Go.
• Mobile: Experience testing Mobile Applications (iOS and Android).
• Design Review: Proven experience in Threat Modelling.
• SDLC: You have a working understanding of how software is architected, built and deployed.
• Scripting: You have the ability to write your own scripts and tooling to aid in pentesting and improve efficiency. Golang, Python etc.

Soft Skills

• Communication: Exceptional written and spoken communication skills: the ability to communicate complex technical issues to engineers and business risk to executives.
• Proactivity: A self-starting nature. You don't wait for a ticket to find a vulnerability. Got downtime? You're digging into codebases, closing off retesting items and generally getting it done.
• Independence: Ability to work independently while remaining a collaborative partner to the wider engineering team.
• Adaptability: Engine is evolving. You are able to evolve and develop as our requirements shift over time.
• Certifications: Relevant industry certifications (OSCP, OSWE, CCT-APP, CCT-INF etc.) or relevant demonstrable experience.

Nice to have:

• Infrastructure as Code (IaC): Experience auditing Terraform or CloudFormation templates.
• DevSecOps: Familiarity with integrating security tooling (DAST/SAST) into CI/CD pipelines.

We have a Hybrid approach to working here at Starling - our preference is that you're located within a commutable distance of one of our offices so that we're able to interact and collaborate in person. In Technology, we're asking that you attend the office a minimum of 1 day per week.

• 25 days holiday (plus take your public holiday allowance whenever works best for you)
• An extra day's holiday for your birthday
• Annual leave is increased with length of service, and you can choose to buy or sell up to five extra days off
• 16 hours paid volunteering time a year
• Salary sacrifice, company enhanced pension scheme
• Life insurance at 4x your salary & group income protection
• Private Medical Insurance with VitalityHealth including mental health support and cancer care. Partner benefits include discounts with Waitrose, Mr&Mrs Smith and Peloton
• Generous family-friendly policies
• Perkbox membership giving access to retail discounts, a wellness platform for physical and mental health, and weekly free and boosted perks
• Access to initiatives like Cycle to Work, Salary Sacrificed Gym partnerships and Electric Vehicle (EV) leasing

At Engine by Starling, we are on a mission to find and work with leading banks all around the world who have the ambition to build rapid growth businesses, on our technology. Engine is Starling's software-as-a-service (SaaS) business, the technology that was built to power Starling Bank, and a year ago we split out as a separate business. Starling Bank has seen exceptional growth and success, and a large part of that is down to the fact that we have built our own modern technology from the ground up. This SaaS technology platform is now available to banks and financial institutions all around the world, enabling them to benefit from the innovative digital features, and efficient back-office processes that has helped achieve Starling's success. As a company, everyone is expected to roll up their sleeves to help deliver great outcomes for our clients. We are an engineering led company and we're looking for someone who will be excited by the potential for Engine's technology to transform banking in different markets around the world. Hybrid Working We have a Hybrid approach to working here at Engine - our preference is that you're located within a commutable distance of one of our offices so that we're able to interact and collaborate in person., You may be put off applying for a role because you don't tick every box. Forget that! While we can't accommodate every flexible working request, we're always open to discussion. So, if you're excited about working with us, but aren't sure if you're 100% there yet, get in touch anyway. We're on a mission to radically reshape banking - and that starts with our brilliant team. Whatever came before, we're proud to bring together people of all backgrounds and experiences who love working together to solve problems. Starling is an equal opportunity employer, and we're proud of our ongoing efforts to foster diversity & inclusion in the workplace. Individuals seeking employment at Starling Bank are considered without regard to race, religion, national origin, age, sex, gender, gender identity, gender expression, sexual orientation, marital status, medical condition, ancestry, physical or mental disability, military or veteran status, or any other characteristic protected by applicable law. When you provide us with this information, you are doing so at your own consent, with full knowledge that we will process this personal data in accordance with our Privacy Notice. By submitting your application, you agree that Starling Bank will collect your personal data for recruiting and related purposes. Our Privacy Notice explains what personal information we will process, where we will process your personal information, its purposes for processing your personal information, and the rights you can exercise over our use of your personal information.