Cloud Security Engineer (Automation & Tooling) - Engine by Starling in Cardiff

About Engineering at Engine by Starling. At Engine by Starling, we don't do "checkbox security". We treat security as a first-class engineering discipline. As a Cloud Security Engineer, you will be a hands-on builder responsible for the security architecture of our multi-tenant core banking platform. You'll spend your days writing code, automating defenses, and ensuring our infrastructure that spans across AWS and GCP is secure by design and compliant by default.

The Mission

This is a highly varied position where you will spearhead efforts to fortify both our infrastructure and application platforms. Your mission is to solve complex security problems through code, focusing on three core pillars:

• Identity & Network Security: Engineering robust IAM controls and zero-trust network architectures. You will lead the way in refining edge-defense strategies and trust redirection to ensure every request is verified and encrypted.
• Unified Vulnerability Orchestration: Building a custom "single pane of glass" for security data. You will engineer API integrations between scanning engines, dependency trackers, and internal portals to create a seamless, automated vulnerability ecosystem.
• Compliance as Code: Bridging the gap between technical execution and regulatory requirements. You will build the automated systems that provide real-time evidence for frameworks like SOC 2, ISO 27001 & PCI ensuring we stay compliant without manual overhead.

The Team

You will be a key member of our growing Security Engineering team, working at the intersection of our Infrastructure, Cross-Cutting, Information Security, and GRC teams. At Engine, we believe security should be at the heart of every technical process, not an afterthought. You won't work in a silo; you'll have close interaction with engineers across the business to deliver a platform that is resilient against evolving threats.

About You

We are primarily looking for experienced Cloud Security Engineers, but we are equally keen to talk to talented Software Engineers who possess strong programming skills and a genuine desire to apply their knowledge to security challenges. Engine engineers are motivated by impact and high-quality delivery, regardless of their original tech stack. Whether you are a security specialist or a developer with a "security-first" mindset, your place within the team will be shaped by your individual strengths and interests.

What you'll get to do?

You won't be manually checking boxes. You will be building the systems that check them for you.

• Security as Code: Design and maintain custom security tooling in Go to automate evidence collection for SOC2/ISO 27001 and remediation of security alerts.
• Infrastructure & IAM: Write and peer-review Terraform to manage identity and core infrastructure across AWS and GCP, ensuring the principle of least privilege is baked into the foundation and adhering to cloud security standards.
• Pipeline & Supply Chain: Contribute to maintaining the integrity of our software supply chain. You'll integrate SAST/DAST/SCA tools into our CI/CD pipelines (GitHub Actions/TeamCity) and manage container provenance.
• Cloud Native Defense: Engineer Kubernetes security solutions focusing on Cilium, RBAC, and network policies to protect our microservices.
• Identity & Trust (PKI): Build and maintain our Certificate Authority (CA) tooling and internal PKI infrastructure. You will be a trusted guardian of our cryptographic foundations, participating in Key Ceremonies to ensure the highest level of root-level security.
• Incident Response & Research: Support the Information Security team and participate in incident response and post-mortem activities.

Requirements

What skills are essential:

• The Builder Mindset: You have a background in software or infrastructure engineering. You find manual work a personal affront and prefer to solve problems through code.
• Polyglot-ish: You are proficient in Go (our preference) or Python.
• Cloud Native: You have deep, practical experience securing AWS or GCP and have managed them at scale using Terraform.
• Container Expert: You understand the nuances of Kubernetes security - from the runtime to the service mesh.
• Identity Mastery: Expert knowledge of cloud identity models.
• Networking: Strong understanding of network protocols.

What skills are desirable:

• Experience with Cilium networking or advanced K8s hardening (CKS/CKA).
• Deep knowledge of cryptography management and hardware security modules.
• Familiarity with container signing (Sigstore/Cosign) and image provenance.
• Cloud-native security certifications (AWS Security Specialist / GCP Professional).
• Experience working with CSA CCM.

Benefits

• 33 days holiday (including public holidays, which you can take when it works best for you).
• An extra day's holiday for your birthday.
• Annual leave is increased with length of service, and you can choose to buy or sell up to five extra days off.
• 16 hours paid volunteering time a year.
• Salary sacrifice, company enhanced pension scheme.
• Life insurance at 4x your salary & group income protection.
• Private Medical Insurance with VitalityHealth including mental health support and cancer care. Partner benefits include discounts with Waitrose, Mr&Mrs Smith and Peloton.
• Generous family-friendly policies.
• Incentives refer a friend scheme.
• Perkbox membership giving access to retail discounts, a wellness platform for physical and mental health, and weekly free and boosted perks.
• Access to initiatives like Cycle to Work, Salary Sacrificed Gym partnerships and Electric Vehicle (EV) leasing.