SENIOR APPLICATION SECURITY ENGINEER (OUTSIDE IR35)

Early Phases of the Programme have already defined the Target Architecture, Threat Model & Prompt Engineering Strategy. The Next Stage is to Transform this Foundation into a Production-Grade Capability Used Daily by Engineering Teams, enabling Developers to:

• Triage Application Security Findings in Real Time
• Receive AI-Assisted Remediation Guidance & Fix Suggestions
• Reduce Cost, Time & Friction Associated with Securing Code at Scale

This is a Hands-On Engineering Leadership role. You will own the End-to-End Technical Implementation & Evolution of the Platform, working closely with Application Security, Platform Engineering, Risk & Compliance Stakeholders.

Responsibilities of Application Security Engineer role will include:

Agent Engineering & Platform Ownership:

• Lead the End-to-End Engineering Build of an Agentic Application Security Capability
• Own the Codebase, Orchestration Layer & Evaluation Harness
• Design & Implement Agent Workflows that Triage Findings, Propose Fixes & Assist Developers within CI/CD Pipelines
• Ensure Agent Operates Reliably Across Production Engineering Environments, Embed into Developer Workflows (GitLab / GitHub, CI/CD Pipelines, Ticketing Systems, Identity Platforms)

Define Robust Tool Contracts, Retry Logic, Rate Limiting & Failure Handling Mechanisms

Prompt, Policy & Guardrail Engineering:

• Design, Develop, Version & Continuously Improve:

• System Prompts & Agent Behaviours

• Policy Frameworks & Guardrails

• Tool Schemas & Execution Constraints

Implement Protections Against:

• Prompt Injection
• Jailbreak Attempts
• Unsafe Tool Execution

Ensure Alignment with Defined AASA Threat Model & Governance Standards

Evaluation, Metrics & Assurance:

• Build & Maintain a Full Evaluation Framework, including:

• Golden Datasets & Regression Test Suites

• Precision / Recall Measurement for Vulnerability Detection

• Mean-Time-To-Fix Improvements

• False Positive Reduction Tracking

• Human Override & Intervention Telemetry

Publish Metrics into a Central Security Assurance Scorecard

Secure-By-Design Engineering:

• Embed Secure-By-Design Principles across the Agent Architecture:

• Least Privilege Execution Model

• Scoped Tool Access Controls

• Audit Logging & Traceability

• Output Validation & Sanitisation

• Human-in-the-Loop Control Points

Ensure Compliance with Internal Governance Frameworks (including Agent Safety & AI Security Standards)

Release Management & Operations:

• Take the Platform from "Prototype" to "Controlled Pilot" & into "General Availability"

• Define & Manage:

• Service-Level Objectives (SLOs)

• Observability & Monitoring

• Model & Behaviour Drift Detection

• On-Call & Operational Runbooks

• Safe Rollback & Recovery Mechanisms

Stakeholder & Cross-Functional Collaboration:

• Partner closely with:

• Application Security Teams

• Developer Experience / Platform Engineering

• CISO / Security Assurance

• Legal, Risk & Compliance Functions

Translate Complex Technical Design Decisions into Clear, Actionable Insights for Non-Technical Stakeholders

Balance Security, Usability & Engineering Velocity Trade-Offs

Thought Leadership & Architecture Contribution:

• Contribute to Internal Architecture Artefacts (Blueprints, Reference Architectures, Design Diagrams)
• Support Development of Enterprise-Wide Agentic AI Security Standards
• Where appropriate, contribute to External Thought Leadership, * Build a Real Production System used at Scale by Engineers - not a Prototype or Slideware
• Work on one of the Most Important Emerging Challenges in Security: How Agents Safely Build & Secure Software
• Join a Team that values strong Engineering Discipline, Architecture Clarity & High-Quality Execution
• Opportunity to Shape How a Major Organisation Approaches AI-Driven Application Security

Searches: Application Security Engineer / AppSec / Agentic AI / AI Ops / AI Security / Claude / Red Teaming / Offensive Security / SAST / SCA / DAST / Secure-By-Design / Platform Engineering / AppSec Automation / LLM / Agentic Applications / Software Engineering

• Strong Software Engineering Background (Production-Grade Python and / or TypeScript)

• Experience with Modern Engineering Practices: CI/CD, Testing Frameworks, Code Review Standards

• Hands-On Experience Building LLM-Powered or Agentic Applications

• Prior Use of Claude Code or similar Tools to Accelerate Engineering Workflows

• Deep Application Security Expertise:

• SAST / SCA / DAST / Secret Scanning

• Secure Code Review

• Threat Modelling (OWASP Top 10, API Top 10, LLM Security Risks)

Experience Integrating Security Tooling into Developer Pipelines (GitLab / GitHub, CI/CD)

Understanding of Prompt Injection, Jailbreak Risks, Sandboxing & Least-Privilege Design

Ability to operate effectively in Regulated Environments & Translate Controls into Engineering Solutions

Ideally Experience would include:

• Delivered AI / Agent Platforms or AppSec Automation Solutions at Scale

• Familiarity with:

• Anthropic Claude / Claude Code

• MCP or similar Agent / Tool Orchestration Frameworks

Experience with AI Security Tooling or AISPM Platforms

Exposure to Financial Services Regulatory Environments (eg DORA, FCA/PRA, MAS, JFSA, EU AI Act)

Knowledge of Secure Development Frameworks (e.g. NIST SSDF, SABSA)

Experience with AI Red-Teaming & Adversarial Testing

Evidence of External Thought Leadership in AppSec or AI Security