Senior IS Tester

The big question: why on earth should a Tech professional like you work for a 150-year-old retail chain? Because we’re on a journey. Changing the way we operate. Learning to think nimble. Giving our teams the time and freedom they need to push boundaries. To create amazing systems and technologies. To give our colleagues and our customers even more incredible experiences. There are thousands of experts to talk to and learn from. We’ve got data from billions of transactions for our teams to play with. Things get built here. They get made here. They hit customers and colleagues quickly. Welcome to the home of Sainsbury's Tech.

About the Team

Our Data Governance & Information Security team is at the heart of protecting the organisation’s systems, data, and people. We work across all areas of the business to identify risks, strengthen defences, and ensure compliance with industry standards and regulations. We value accountability, curiosity, and continuous improvement, and we’re passionate about building a culture where security is second nature. Joining us means being part of a team that tackles evolving threats, drives awareness, and helps the organisation remain resilient and trusted.

More about the role

The Senior Information Security Tester will be engaged in delivering Penetration Testing & related services and will:

• Scope penetration testing for both internal and external facing systems
• Take ownership and perform a wide range of penetration tests in line with internal standards and SLAs, including detailed and actionable reporting through our reporting platform
• Provide expert feedback in several forums related to technical vulnerabilities and processes within and outside of the security testing team
• Perform Quality Assurance on in-house reports, vulnerability database write-ups, and any related documentation related to the security testing team’s function
• Improve internal vulnerability database write-ups to increase overall quality of all reports
• Assist other teams in understanding security vulnerabilities and implications through constructive conversations & meetings when engaged through security testing, or as part of the wider conversation
• Periodically review external penetration tests as part of ongoing vendor evaluation, along with providing formal feedback for any issues and participating in resolution meetings
• Provide mentorship to others within the team, along with assisting to fill in any knowledge gaps when identified
• Perform Purple Team activities as required, with Red Team capabilities a large advantage
• Participate in reviewing bug bounty findings and providing feedback for issues which are of high severity, complexity, and exceeding a reward threshold
• Provide advice and guidance associated with the planning, design, implementation and improvement of system security taking account of current best practice, legislation and regulation when necessary
• Help shape the security testing process by providing feedback highlighting opportunities for improvement in efficiency and ways of working

Essential

• Extensive experience performing Web Application penetration tests
• Extensive knowledge of OWASP vulnerabilities, tools and methodologies
• Strong experience performing Infrastructure penetration tests against Windows & Linux environments
• Strong experience performing build reviews against Windows & Linux hosts, MacOS a bonus
• Strong technical writing ability to write penetration test reports for technical and non-technical audiences
• Strong reporting Quality Assurance skills
• Ability to work on their own with minimal supervision and deliver on time to budget
• Demonstrates extensive knowledge of good security practice covering the physical and logical aspects of information products, systems integrity and confidentiality
• At least one of the following information security testing certifications OSWE, OSCP, GIAC or CREST (CRT or CCT)
• Ability to think methodically and logically through situations, problem solve and communicate well using both spoken and written word
• Remains visible to customers as the face of Security Testing to listen to their concerns and share these with others
• Ability to translate complex/technical issues clearly to meet the needs of the audience outside of a written report
• Ability to take responsibility, own the issue, resolve it (get the required result) and recognise how individual contributions impact team delivery
• Experience performing Purple Team activities

Advantageous

• Experience with AI & LLM penetration testing
• Experience performing Mobile penetration testing
• Experience performing Red Team activities such as phishing, social engineering, malware development and other offensive tooling development, along with knowledge of relevant frameworks
• Experience with AV & EDR Evasion
• Experience with scripting and programming languages such as C, CPP, C#, Python
• Extensive knowledge of PCI, ASV and SSDL
• Holds industry respected certifications for any penetration testing or related functions for web applications, infrastructure, mobile, AI/LLM, Red Team, etc
• Expertise in defensive tools or systems which provide access security control (i.e. prevents unauthorised system access)
• Current Information Security qualifications/certifications e.g. CISSP, CISM, CRISC, CEH etc desirable but not essential
• Experience of using Static Application Security Testing (SAST) analysis tools such as HP Fortify, Veracode, Checkmarx
• Has expert awareness of problem-solving procedures used for business-critical IT incidents, and a good awareness of their implications for a retail business
• Ability to balance the benefits of optimised security with the cost of providing it, to promote the best overall interests of the business
• Mentoring experience assisting others in the team to improve their skills

In return you’ll get

• Colleague discount across the multi-brands – Sainsbury’s, Argos and Habitat
• Holiday allowance
• Bonus scheme
• Pension plan
• Special offers on gym memberships, restaurants, holidays, retail vouchers and more
• Flexible working and job share conversations are encouraged.

Across our multi-brands, we’re proud to be an equal opportunities employer that champions a diverse and inclusive culture. If you’re reading this, even if you’re not 100% sure you’re there with your experience, we’d still love to hear from you. If you’d like to find out more head to Sainsbury's Tech.