Product Security Engineer in Cambridge

The Role

As a Product Security Engineer, you’ll embed security into the software development lifecycle across multiple product teams. You’ll help teams build, ship, and operate secure software by defining requirements, improving detection and prevention (SAST/DAST), assisting teams with application security governance, and running threat modelling.

Your Work at Redgate

• Partner with engineering and product teams to define and operationalise security requirements across the SDLC (from design to release).
• Audit application code for weaknesses and vulnerabilities.
• Own or co-own application security governance practices: secure-by-default standards, patterns, guardrails, and exceptions/risk acceptance.
• Drive SAST/DAST adoption and quality: tool tuning, triage workflows, severity calibration, and “fix-forward” enablement.
• Support adoption of threat modelling for new features, architectural changes, and high-risk services—turning findings into actionable engineering work.
• Provide product security guidance for cloud-native environments (AWS + containerised workloads), with an emphasis on secure service design and deployment practices.
• Build strong relationships with product teams through clear communication, coaching, and security enablement.
• Review and assist in the development of engineering policies aligned with security best practices.
• Contribute secure shared libraries/paved-road components or perform targeted security testing/pentesting to validate controls.
• Work with product teams to support implementation of AI, including LLMs, SLMs, and MCP.

What you bring to the table

• Hands-on product/application security experience supporting engineering teams in a modern SDLC (requirements, design review, secure coding guidance, release support).
• Strong knowledge of the OWASP Top 10 and practical mitigation patterns; familiarity with OWASP ASVS is a plus.
• Experience implementing or improving SAST/DAST processes: tool selection/tuning, signal-to-noise reduction, and scalable remediation workflows.
• Working understanding of cloud and container security fundamentals in an environment using AWS and Docker (and related CI/CD practices).
• Comfort working across a primarily C# ecosystem (with some Java/Python), including the ability to review code and explain security issues clearly to developers.
• Ability to translate security risk into actionable engineering priorities—balancing risk, delivery timelines, and operational realities.

Who you are

• You’re pragmatic: you care about real risk reduction, not checkbox compliance or perfect theoretical security.
• You communicate clearly and respectfully, able to influence without authority and build trust across multiple product teams.
• You’re structured and evidence-driven: you document decisions, measure outcomes, and iterate based on what’s working.
• You’re comfortable in ambiguity and can shape an approach when requirements, tooling, or ownership aren’t fully defined yet.

Salary and ways of working

£60,000 to £75,000 subject to experience. Flexible-hybrid working model (1 day every two weeks).

Tech / tool stack

• C# / .NET (primary engineering ecosystem), React, Java (J2EE), TypeScript, and Python.
• AWS (cloud infrastructure and services), Docker (containerised workloads).
• SAST/DAST tooling (specific products may vary; you’ll help tune and operationalise them).

Impact plan

• 30 Days: Onboard into Redgate’s products, SDLC, and delivery rhythms (how work moves from idea → code → deploy). Get access to core systems and security tooling; understand what’s in place today (SAST/DAST coverage, alert volumes, current processes). Shadow the Product Security Architect and sit in on a handful of ceremonies (planning/refinement/retro) to understand team dynamics and where security naturally fits. Triage a small set of findings with guidance (e.g., top recurring SAST issues), focusing on learning severity expectations and remediation patterns. Start building a knowledge base: common app patterns, approved controls, “how we do security here,” and where to find the right people.
• 60 Days: Begin owning a defined slice of AppSec work with supervision (e.g., one product area or a specific SDLC initiative like SAST tuning or DAST onboarding). Build working relationships with a small set of partner teams and establish a predictable engagement model (intake path, review checklist). Start contributing to security reviews for new features or higher-risk changes—initially as a second set of eyes, then independently for scoped areas. Help improve signal-to-noise in SAST/DAST: tune rules, reduce duplicates, and document triage guidance that developers can follow. Support lightweight threat modelling sessions alongside the Architect (prep, note-taking, translating outcomes into engineering actions).
• 90 Days: Independently handle routine AppSec support for agreed scope (e.g., first-pass triage, basic secure design guidance, follow-ups with teams), escalating appropriately. Deliver tangible process improvements that reduce friction (e.g., clearer severity rubric, a repeatable intake template, a “common findings” fix guide). Demonstrate steady throughput on findings: consistent triage quality, meaningful developer support, and reduced turnaround time for the scoped area. Contribute to a secure-by-default library/SDK.