Principal Penetration Tester (9 Month FTC) in Watford

At the heart of everything we do is our vision to change lives every day, and our mission to grow The National Lottery responsibly and champion its impact. We are Allwyn UK, part of the Allwyn Entertainment Group – a multi-national lottery operator with a market-leading presence across the USA and Europe. While the main contribution of The National Lottery to society is through the funds to good causes, at Allwyn we put our purpose and values at the heart of everything we do.

This role strengthens the Security Testing function by adding senior hands-on capability across application security testing and targeted offensive security work. The main purpose of the role is to improve the depth, consistency and practical value of security testing across Allwyn systems and services, while building enough internal offensive capability to support purple team activity, adversary led testing and better detection and response outcomes. The role is weighted towards application security.

What you’ll be doing:

• Application security testing and assurance, around 70 percent
• Lead and deliver advanced penetration testing across web applications, RESTful APIs, backend services, mobile connected services and supporting application platforms.
• Assess Java based backend systems, especially Spring Boot services, microservice architectures, API gateways and Backend for Frontend layers.
• Test authentication, authorisation, orchestration, input validation, session handling, token management and data exposure risks across modern digital journeys.
• Carry out security testing across cloud hosted and containerised application environments, ideally on AWS.
• Review outputs from SAST, DAST and related controls, separate noise from genuine risk, and help development teams understand what matters and what should be fixed first.
• Support threat modelling and design review activity by translating design and architecture decisions into sensible testing scope and coverage.
• Support release and project assurance by providing clear views on testing depth, remediation expectations and risk based sign off inputs.
• Help develop practical application security testing standards, playbooks and ways of working that can be applied across BAU and project delivery.

Offensive security and purple team development, around 30 percent:

• Develop and mature an internal purple team methodology that can be used alongside security testing activity and external red team exercises.
• Support offensive security planning with Security Testing leadership and Cyber Defence.
• Use strong Linux and Windows knowledge to identify realistic exploitation paths across hosts, applications and supporting services.
• Bring practical knowledge of binary exploitation and lower level technical analysis where it adds value to application, platform or software component assessments.
• Apply ATT&CK aligned thinking when shaping offensive scenarios, attack paths and purple team test cases.
• Draft for internal review.
• Contribute to selected specialist work, including hardware focused testing or low level technical analysis.
• Work with external offensive security partners and turn outputs into practical lessons, follow up actions and measurable improvements.

Team contribution and capability building:

• Act as a senior technical point of reference within the Security Testing function.
• Coach others in the team and help raise the standard of testing, reporting and technical analysis.
• Improve internal methods, test approaches and reporting so that the function becomes more consistent and easier to scale.

What experience we’re looking for:

Essential:

• Strong hands-on experience in application penetration testing across web applications, APIs and service based architectures.
• Strong understanding of Java based backend systems, especially Spring Boot, RESTful APIs and microservice patterns.
• Experience testing API gateways and Backend for Frontend layers.
• Practical knowledge of cloud hosted applications, ideally on AWS.
• Good understanding of modern web and mobile application patterns.
• Strong practical knowledge of Linux and Windows operating systems.
• Working knowledge of binary exploitation and lower level vulnerability analysis.
• Ability to carry out manual testing beyond automated tooling.
• Ability to explain findings clearly to both technical and non-technical stakeholders.
• Experience shaping testing approach, methodology or standards.

Desirable:

• Experience with mobile application assessment.
• Experience with secure code review or code assisted testing.
• Experience with ATT&CK informed assessments.
• Familiarity with EDR and AV evasion concepts.
• Exposure to hardware, embedded or other specialist low level testing techniques.
• Experience in regulated, high availability or transaction critical environments.
• Relevant certifications such as CREST, OSCP, OSWE, OSEP or equivalent demonstrable experience.
• Experience with WAF technology and implementation.

About us:

At Allwyn, we are dedicated to changing lives and growing the National Lottery responsibly, championing its positive impact on people, places, and the planet. Our aim is to become a net zero national lottery. We have 2030 targets to decarbonise our operations and energy. We’ve already transitioned to renewable energy providers and ensured our fleet consists of low-emission vehicles.

We are a Disability Confident Leader which means we’ve taken proactive steps to ensure our workplace is accessible and inclusive for disabled and neurodivergent colleagues and candidates.