SENIOR APPLICATION SECURITY ENGINEER (OUTSIDE IR35)

Our Client is a major Financial Services Organisation undertaking a major Security Architecture Programme. They are now entering the Production Build Phase of an Agentic Application Security Agent that will fundamentally change how their Application Security is Delivered within the SDLC.

Early Phases of the Programme have already defined the Target Architecture, Threat Model & Prompt Engineering Strategy. The Next Stage is to Transform this Foundation into a Production-Grade Capability Used Daily by Engineering Teams, enabling Developers to:

• Triage Application Security Findings in Real Time
• Receive AI-Assisted Remediation Guidance & Fix Suggestions
• Reduce Cost, Time & Friction Associated with Securing Code at Scale

This is a Hands-On Engineering Leadership role. You will own the End-to-End Technical Implementation & Evolution of the Platform, working closely with Application Security, Platform Engineering, Risk & Compliance Stakeholders.

Responsibilities of Application Security Engineer role will include:

• Agent Engineering & Platform Ownership: Lead the End-to-End Engineering Build of an Agentic Application Security Capability. Own the Codebase, Orchestration Layer & Evaluation Harness. Design & Implement Agent Workflows that Triage Findings, Propose Fixes & Assist Developers within CI/CD Pipelines. Ensure Agent Operates Reliably Across Production Engineering Environments.
• Tooling & Security Integration: Integrate with Enterprise Security Tooling, including: SAST / SCA / DAST, Secret Scanning, Infrastructure-as-Code Security Tools. Embed into Developer Workflows (GitLab / GitHub, CI/CD Pipelines, Ticketing Systems, Identity Platforms). Define Robust Tool Contracts, Retry Logic, Rate Limiting & Failure Handling Mechanisms.
• Prompt, Policy & Guardrail Engineering: Design, Develop, Version & Continuously Improve: System Prompts & Agent Behaviours, Policy Frameworks & Guardrails, Tool Schemas & Execution Constraints. Implement Protections Against: Prompt Injection, Jailbreak Attempts, Unsafe Tool Execution. Ensure Alignment with Defined AASA Threat Model & Governance Standards.
• Evaluation, Metrics & Assurance: Build & Maintain a Full Evaluation Framework, including: Golden Datasets & Regression Test Suites, Precision / Recall Measurement for Vulnerability Detection, Mean-Time-To-Fix Improvements, False Positive Reduction Tracking, Human Override & Intervention Telemetry. Publish Metrics into a Central Security Assurance Scorecard.
• Secure-By-Design Engineering: Embed Secure-By-Design Principles across the Agent Architecture: Least Privilege Execution Model, Scoped Tool Access Controls, Audit Logging & Traceability, Output Validation & Sanitisation, Human-in-the-Loop Control Points. Ensure Compliance with Internal Governance Frameworks (including Agent Safety & AI Security Standards).
• Release Management & Operations: Take the Platform from Prototype to Controlled Pilot & into General Availability. Define & Manage: Service-Level Objectives (SLOs), Observability & Monitoring Model & Behaviour Drift Detection, On-Call & Operational Runbooks, Safe Rollback & Recovery Mechanisms.
• Stakeholder & Cross-Functional Collaboration: Partner closely with: Application Security Teams, Developer Experience / Platform Engineering, CISO / Security Assurance, Legal, Risk & Compliance Functions. Translate Complex Technical Design Decisions into Clear, Actionable Insights for Non-Technical Stakeholders. Balance Security, Usability & Engineering Velocity Trade-Offs.
• Thought Leadership & Architecture Contribution: Contribute to Internal Architecture Artefacts (Blueprints, Reference Architectures, Design Diagrams). Support Development of Enterprise-Wide Agentic AI Security Standards. Where appropriate, contribute to External Thought Leadership.

Essential Skills & Experience for Application Security Engineer role:

• Strong Software Engineering Background (Production-Grade Python and / or TypeScript).
• Experience with Modern Engineering Practices: CI/CD, Testing Frameworks, Code Review Standards.
• Hands-On Experience Building LLM-Powered or Agentic Applications.
• Prior Use of Claude Code or similar Tools to Accelerate Engineering Workflows.
• Deep Application Security Expertise: SAST / SCA / DAST / Secret Scanning, Secure Code Review, Threat Modelling (OWASP Top 10, API Top 10, LLM Security Risks).
• Experience Integrating Security Tooling into Developer Pipelines (GitLab / GitHub, CI/CD).
• Understanding of Prompt Injection, Jailbreak Risks, Sandboxing & Least-Privilege Design.
• Ability to operate effectively in Regulated Environments & Translate Controls into Engineering Solutions.

Ideally Experience would include:

• Delivered AI / Agent Platforms or AppSec Automation Solutions at Scale.
• Familiarity with: Anthropic Claude / Claude Code, MCP or similar Agent / Tool Orchestration Frameworks.
• Experience with AI Security Tooling or AISPM Platforms.
• Exposure to Financial Services Regulatory Environments (eg DORA, FCA/PRA, MAS, JFSA, EU AI Act).
• Knowledge of Secure Development Frameworks (e.g. NIST SSDF, SABSA).
• Experience with AI Red-Teaming & Adversarial Testing.
• Evidence of External Thought Leadership in AppSec or AI Security.

Why This Role is Exciting!!

• Build a Real Production System used at Scale by Engineers - not a Prototype or Slideware.
• Work on one of the Most Important Emerging Challenges in Security: How Agents Safely Build & Secure Software.
• Join a Team that values strong Engineering Discipline, Architecture Clarity & High-Quality Execution.
• Opportunity to Shape How a Major Organisation Approaches AI-Driven Application Security.