Penetration Tester - Engine by Starling

At Engine by Starling, we are on a mission to find and work with leading banks all around the world who have the ambition to build rapid growth businesses, on our technology. Engine is Starling's software-as-a-service (SaaS) business, the technology that was built to power Starling Bank. This SaaS technology platform is now available to banks and financial institutions all around the world, enabling them to benefit from innovative digital features and efficient back-office processes.

We have a Hybrid approach to working here at Engine - our preference is that you're located within a commutable distance of one of our offices so that we can interact and collaborate in person.

We are looking for an experienced Penetration Tester who can bridge the gap between deep technical exploitation and real-world business risk. This isn’t just about running scanners and handing over a PDF; it’s about adversarial empathy, understanding how our systems and services work so you can show us how they may be compromised. While you will sit within the Information Security team, you won’t be siloed; you will be "dropped in" to test across various business domains, working side-by-side with Infrastructure Engineers and Software Developers and in collaboration with all parts of the Information Security Team. Your approach is to move beyond finding ‘bugs’ to helping out teams build inherently resilient systems. As an early member of our internal Pentesting capability, you won’t just follow a manual, you will help write it.

A key aspect of this role involves:

• Collaborating with your peers to design a continuous testing framework that evolves with our tech stack.
• Sharing knowledge with the wider technical faculty to elevate our collective security posture.
• Supporting the continued advancement of our penetration testing through research, design and implementation of new solutions, including automation.

Responsibilities:

• Conducting penetration tests on our core banking platform, focusing on Cloud and Application Security.
• Performing manual secure code reviews to identify logic flaws and security anti-patterns.
• Participating in sessions with different teams to identify design flaws before code is written.
• Contextualising technical vulnerabilities into "Real-World Risk" scenarios to demonstrate business impact to non-technical executives.
• Collaborating with Infrastructure teams to audit and secure cloud configurations.
• Acting as an independent operator within the team, managing your own testing scope and timelines across different business domains.
• Providing clear, actionable remediation advice that balances security requirements with engineering velocity.
• Translating complex technical exploits into actionable business risk summaries for non-technical stakeholders and executive leadership.

We’re open-minded when it comes to hiring and we care more about aptitude and attitude than specific experience or qualifications.

Technical Skills:

• 5+ years experience in penetration testing with a focus on cloud native infrastructure, web applications, APIs.
• Expert-level proficiency with industry-standard tools and the ability to "go manual" when scanners fail.
• Experience with Cloud Security, (AWS/GCP) specifically AWS/EKS.
• Ability to conduct code reviews in multiple languages, primarily Java and Go.
• Experience testing Mobile Applications (iOS and Android).
• Proven experience in Threat Modelling.
• Working understanding of how software is architected, built and deployed.
• Ability to write your own scripts and tooling to aid in pentesting and improve efficiency (Golang, Python etc.).

Soft Skills:

• Exceptional written and spoken communication skills: the ability to communicate complex technical issues to engineers and business risk to executives.
• A self-starting nature. You don’t wait for a ticket to find a vulnerability.
• Ability to work independently while remaining a collaborative partner to the wider engineering team.
• Adaptability as Engine is evolving.
• Relevant industry certifications (OSCP, OSWE, CCT-APP, CCT-INF etc.) or relevant demonstrable experience.

Nice to have:

• Experience auditing Terraform or CloudFormation templates.
• Familiarity with integrating security tooling (DAST/SAST) into CI/CD pipelines.

Interviewing is a two-way process and we want you to have the time and opportunity to get to know us, as much as we are getting to know you! Our interviews are conversational and we want to get the best from you, so come with questions and be curious.

Benefits:

• 25 days holiday (plus take your public holiday allowance whenever works best for you).
• An extra day’s holiday for your birthday.
• Annual leave is increased with length of service, and you can choose to buy or sell up to five extra days off.
• 16 hours paid volunteering time a year.
• Salary sacrifice, company enhanced pension scheme.
• Life insurance at 4x your salary & group income protection.
• Private Medical Insurance with VitalityHealth including mental health support and cancer care.
• Generous family-friendly policies.
• Perkbox membership giving access to retail discounts, a wellness platform for physical and mental health, and weekly free and boosted perks.
• Access to initiatives like Cycle to Work, Salary Sacrificed Gym partnerships and Electric Vehicle (EV) leasing.

Starling is an equal opportunity employer, and we’re proud of our ongoing efforts to foster diversity & inclusion in the workplace.