Penetration Tester - Engine by Starling in Southampton

We are looking for an experienced Penetration Tester who can bridge the gap between deep technical exploitation and real-world business risk. This role sits within the Information Security team but collaborates across Infrastructure Engineers, Software Developers and other parts of the Information Security Team. The aim is to move beyond finding 'bugs' to helping build inherently resilient systems, with an emphasis on adversarial empathy and communicating risk to non-technical stakeholders.

As an early member of our internal Pentesting capability, you will help write the testing approach and capabilities, not just follow a manual. A key aspect of this role involves collaboration, continuous improvement, and automation initiatives.

• End-to-End Assessments: Conduct penetration tests on our core banking platform, focusing on Cloud and Application Security.
• Code Review: Perform manual secure code reviews to identify logic flaws and security anti-patterns.
• Threat Modelling: Participate in sessions with different teams to identify design flaws before code is written.
• Risk Contextualisation: Contextualise technical vulnerabilities into 'Real-World Risk' scenarios to demonstrate business impact to non-technical executives and within Engine's risk management framework.
• Cloud Security: Collaborate with Infrastructure teams to audit and secure cloud configurations.
• Autonomous Execution: Act as an independent operator within the team, managing your own testing scope and timelines across different business domains.
• Remediation: Provide clear, actionable remediation advice that balances security requirements with engineering velocity.
• Strategic Reporting: Translate complex technical exploits into actionable business risk summaries for non-technical stakeholders and executive leadership.
• Knowledge Sharing and Framework Development: Collaborate with peers to design a continuous testing framework that evolves with our tech stack and share knowledge to elevate our security posture.

• Experience: 5+ years in penetration testing with a focus on cloud-native infrastructure, web applications, and APIs.
• Tooling: Expert-level proficiency with industry-standard tools; ability to work manually when scanners fail.
• Cloud Native: Experience with Cloud Security (AWS/GCP), specifically AWS/EKS.
• Code Fluency: Ability to conduct code reviews in multiple languages, primarily Java and Go.
• Mobile: Experience testing Mobile Applications (iOS and Android).
• Design Review: Proven experience in Threat Modelling.
• SDLC: Understanding of how software is architected, built and deployed.
• Scripting: Ability to write scripts and tooling to aid pentesting (Golang, Python, etc.).

• Communication: Exceptional written and spoken communication skills; ability to explain complex technical issues to engineers and business risk to executives.
• Proactivity: Self-starting; you don’t wait for a ticket to find vulnerabilities and you’ll engage with codebases during downtime.
• Independence: Ability to work independently while remaining collaborative with the engineering team.
• Adaptability: Able to evolve as our requirements shift over time.
• Certifications: Relevant industry certifications (OSCP, OSWE, CCT-APP, CCT-INF, etc.) or demonstrable experience.

• Infrastructure as Code (IaC): Experience auditing Terraform or CloudFormation templates.
• DevSecOps: Familiarity with integrating security tooling (DAST/SAST) into CI/CD pipelines.

About Engine by Starling: Engine is Starling’s SaaS business powering Starling Bank. We are on a mission to build rapid growth businesses for leading banks worldwide using our technology. We are an engineering-led company seeking someone excited by the potential of Engine’s technology to transform banking in different markets. We operate with a hybrid working model; attendance at a local office is preferred to enable collaboration in person.

• 25 days holiday (plus public holiday allowance)
• Extra day off for your birthday
• Annual leave increases with tenure; buy/sell up to five extra days
• 16 hours paid volunteering time per year
• Salary sacrifice, company-enhanced pension scheme
• Life insurance (4x salary) & group income protection
• Private Medical Insurance with VitalityHealth including mental health and cancer care; partner discounts with Waitrose, Mr & Mrs Smith, Peloton
• Generous family-friendly policies
• Perkbox for retail discounts and wellbeing resources
• Cycle to Work, Salary Sacrificed Gym partnerships and EV leasing

Starling Bank is an equal opportunity employer. We evaluate applicants without regard to race, religion, national origin, age, sex, gender, gender identity, gender expression, sexual orientation, marital status, medical condition, disability, military status, or any other protected characteristic. By applying, you consent to Starling Bank processing your information for recruiting purposes in accordance with our Privacy Notice.