Senior Cyber Security Engineer in London

We’re looking for someone who has demonstrably improved security outcomes in real engineering environments, not just someone with theoretical knowledge of tools or frameworks.

Requirements:

• Application and cloud security experience: practical experience across both application security and cloud security, ideally in AWS-hosted, cloud-native environments.
• Developer-friendly security mindset: you know how to work with engineers, explain risk clearly and design controls that help teams move securely without unnecessary friction.
• Vulnerability management at scale: experience improving how application vulnerabilities, dependency risks, bug bounty findings, penetration test findings and advisories are identified, prioritised, owned and remediated across engineering teams.
• Cloud misconfiguration & vulnerability management: experience identifying and reducing infrastructure-as-code and AWS vulnerabilities & misconfigurations at scale through pragmatic guardrails, tooling and clear remediation paths.
• Threat modelling: confidence running lightweight, practical threat-modelling sessions that lead to useful engineering decisions and risk reduction.
• CI/CD and code security: hands-on experience with security tooling such as SAST, software composition analysis, secret scanning and IaC scanning.
• Automation mindset: ability to write scripts or small tools, ideally in Python, to reduce toil, improve visibility and surface meaningful risk.
• Security leadership: ability to mentor other security engineers and influence engineers across the wider organisation. Depending on team structure, this may include line management.
• AI security awareness: experience of leveraging AI to improve and scale appsec and cloud sec controls would be useful, but is not essential.
• Strong practical experience in application security and cloud security, ideally with a balanced focus across both.
• Hands-on AWS security experience, including common misconfiguration patterns and practical remediation approaches.
• Experience improving vulnerability management across engineering teams, including prioritisation, ownership, remediation tracking and noise reduction.
• Experience in improving cloud or IaC misconfiguration management at scale in a developer-friendly way.
• Experience integrating, tuning or improving security tooling in CI/CD workflows, such as SAST, software composition analysis, secret scanning or IaC scanning.
• Experience running practical threat-modelling sessions that influence design, delivery or remediation decisions.
• Ability to write scripts or small tools, ideally in Python, to automate security workflows or improve visibility.
• Strong communication and collaboration skills, with the ability to influence engineers and technical leaders without relying on gatekeeping.
• Evidence of improving application security, cloud security or vulnerability management practices in a real engineering environment.
• Familiarity with Agile or Scrum ways of working (Desirable).
• Experience with leveraging AI for AppSec and CloudSec (Desirable).
• AWS Certified Security – Speciality or equivalent practical AWS security experience (Desirable).
• Terraform or CloudFormation expertise (Desirable).
• Incident-management or incident-response experience (Desirable).
• Experience with Splunk or similar logging/SIEM platforms (Desirable).
• Experience with security metrics, dashboards or reporting that helped drive measurable risk reduction (Desirable).
• Experience mentoring or line-managing security engineers.

What the job involves:

We’re looking for a Senior Cyber Security Engineer to help mature application and cloud security across the FT’s cloud-native, AWS-hosted technology estate. This role has an approximate 50/50 focus across application security and cloud security, working closely with product, platform and engineering teams to make secure delivery easier by default.

You’ll shape and improve developer-friendly guardrails across GitHub-based CI/CD pipelines, AWS environments and infrastructure-as-code workflows. This includes improving SAST, software composition analysis, secret scanning, IaC scanning, vulnerability management and AWS misconfiguration management so that findings are actionable, low-noise and owned by the right teams.

Day to day, you’ll run practical threat-modelling sessions, review application and cloud designs, improve security playbooks, support vulnerability and misconfiguration remediation, and build automation that reduces toil. Depending on team structure, you may also mentor or line-manage one or two security engineers, while remaining hands-on and close to the technical work.

Tune and evolve SAST, software composition analysis, secret scanning and related controls so they are actionable, low-noise and useful to engineering teams. Help identify, prioritise and reduce AWS and infrastructure-as-code misconfigurations and vulnerabilities at scale. Improve how application vulnerabilities, dependency risks, bug bounty findings, penetration test findings and third-party advisories are triaged, prioritised and remediated.

Help teams understand, own and remediate cloud security issues using pragmatic, developer-friendly workflows. Facilitate lightweight threat-modelling sessions for new products, features, services and architectural changes. Create or improve scripts, integrations, dashboards and workflows that reduce manual effort and make risk easier to understand.

Provide application and cloud security input into design reviews, AWS architecture decisions and larger technical changes. Work closely with product, platform and software engineering teams to embed security into design, delivery and operational practices. Provide application and cloud security expertise during incidents and feed lessons learned back into patterns, tooling and guidance. Coach security engineers and engineering teams on practical security approaches. Depending on team structure, this may include line management of one or two security engineers.