Senior Security Engineer

About the role

You will report directly to the Head of Information Security and work alongside a Senior Technical Support Engineer to form the senior core of the IT Delivery and Security Services team. You will own a broad portfolio of security responsibilities, from application security and secure SDLC enablement to AI governance and security programmes, with significant autonomy to shape how that work gets done. The role is hybrid within the UK, with occasional travel to our London office for collaboration and workshops.

What you will be doing

Application Security and Secure SDLC

• Embed security into Agile development by partnering with engineering squads during planning, refinement, and delivery, and be the security voice in the room.
• Define, roll out, and continuously improve secure coding standards, secure design patterns, and developer-friendly guidance that scales across the engineering team.
• Run threat modelling for new features and major architectural changes, capturing abuse cases and security requirements early, and apply emerging frameworks to model and mitigate new threat surfaces, especially for AI-powered features.
• Own SAST, SCA, DAST, container, and IaC scanning pipelines, using Snyk as the primary platform. Integrate with CI/CD, manage policies, and focus on developer experience and false-positive reduction.
• Triage and manage vulnerabilities end-to-end: classification, SLAs, fix validation, and reporting.
• Build frictionless guardrails such as pre-commit hooks, secure templates, reference code, and paved paths that make doing the right thing easy.
• Deliver targeted training and just-in-time enablement based on findings and stack specifics.

Security Architecture and Design

• Advise on architecture choices for key product feature developments, including authorisation, secrets and key management, data protection, and zero-trust-aligned designs.
• Guide secure API and microservice patterns, including input validation, rate limiting, secure session handling, and token-based security (OAuth 2.0/OIDC).
• Review designs for cloud-native services and edge components, ensuring sensible security trade-offs aligned to product goals.
• Advise on the security architecture of agent orchestration, tool integrations, memory handling, and MCP server deployments as agentic AI capabilities expand.

AI Security and Governance

• Apply and evolve Semble's approach to AI‑specific threats: prompt injection, excessive agent autonomy, tool and plugin abuse, AI supply‑chain risks, and context manipulation, using OWASP LLM Top 10 and OWASP Top 10 for Agentic Applications.
• Work with the Head of Information Security to develop and maintain AI governance posture, aligned with ISO 42001 and evolving AI regulatory landscape in healthcare.
• Assess risks from third‑party AI integrations, AI‑assisted development tooling, and agentic workflows, and implement appropriate mitigations.

Security Operations and Threat Management

• Monitor, investigate, and respond to security alerts, incidents, and anomalous behaviour across Semble's environment.
• Develop and mature threat intelligence capabilities, including vulnerability management, penetration testing coordination, and incident response processes.
• Maintain and improve security tooling, logging, and detection capabilities with an automation‑first mindset.
• Contribute to incident response runbooks for application‑layer and AI‑related incidents, and support blameless post‑incident reviews to embed learning back into the SDLC.
• Identify and address security gaps proactively, improving the overall security posture.

Compliance, Certification and Audit Readiness

• Own or co‑own delivery of compliance programmes, including ISO 27001, Cyber Essentials+, NHS DSPT, and the journey toward SOC 2 readiness.
• Support and contribute to ISO 42001 implementation as AI governance matures.
• Define and track pragmatic security KPIs such as time‑to‑remediate, coverage, critical resolutions within SLA, threat model coverage, and audit readiness indicators.
• Maintain audit‑quality documentation, evidence, and records at all times.

Customer and Stakeholder Engagement

• Support the sales process by responding to customer security questionnaires and due diligence requests with accuracy and confidence.
• Occasionally engage directly with customers on security topics, acting as a credible representative of Semble's security function.
• Work with internal stakeholders to ensure security requirements are understood and embedded across the business.

What we are looking for

Required

• Minimum of 5 years' experience in application security, product security, or a combination of software engineering and security with strong AppSec ownership.
• Hands‑on experience with Snyk across SCA, SAST, Container, and IaC, including CI/CD integration and policy management.
• Strong grounding in modern web and application security: OWASP Top 10, API Security Top 10, and emerging understanding of the OWASP Top 10 for Agentic Applications.
• Practical experience embedding security into Agile workflows and DevSecOps tooling.
• Solid understanding of authn/authz patterns, secrets management, encryption, and cloud‑native security controls.
• Experience with compliance frameworks, particularly ISO 27001; familiarity with Cyber Essentials+, NHS DSPT, or SOC 2 is a strong advantage.
• Practical understanding of AI security risks, including prompt injection, LLM vulnerabilities, and agentic system threats, and how to address them in a product context.
• Experience working in a SaaS environment or similarly regulated industry, appreciating the product, engineering, and commercial context that security decisions sit within.
• Ability to communicate clearly with engineers, leadership, and occasionally customers, translating complex security risk into clear, actionable language.
• Genuine, hands‑on AI experience: you must be able to discuss specific ways you are already using AI to improve security operations, detection, or engineering workflows.
• A track record of maintaining security programmes to a continuously high standard, with audit readiness as a default rather than a periodic event.
• A proactive, ownership mindset: you identify gaps, propose solutions, and deliver them without waiting to be told.

Desirable

• CISSP certification (strongly preferred).
• Experience with threat modelling methodologies such as STRIDE or attack trees, and running effective threat model sessions with engineering teams.
• Familiarity with API gateways, container orchestration, and software supply chain security.
• Experience securing AI‑enabled features, ML pipelines, agentic workflows, or MCP‑based integrations.
• Experience building or maturing a security function within a scaling organisation.
• Exposure to healthcare data regulations and NHS security requirements.
• Proficiency in the French language (nice‑to‑have, not mandatory).

Benefits

• £80-90k salary package, reflecting the specialist and technical nature of this role.
• Autonomy and ownership – you set the vision and run with it.
• 36 days off: 25 holidays + bank holidays + 3 extra days (birthday and feel‑good days).
• Private health insurance covering physical and mental health, as well as dental and optical.
• Hybrid & flexible work environment – work from anywhere in the UK, with some flexibility to work across Europe.
• Latest MacBook (or Windows) and equipment to set up a home office ergonomically.

Equal Opportunity

We welcome applications from people of all backgrounds and walks of life, including those from groups typically underrepresented in the technology industry. We also encourage applications from disabled and neurodiverse candidates. If there are adjustments we can make to support you throughout the recruitment process, please let us know.