Junior Product Security Engineer in London

We are champions of rail, inspired to build a greener, more sustainable future of travel. Trainline enables millions of travellers to find and book the best value tickets across carriers, fares, and journey options through our highly rated mobile app, website, and B2B partner channels. Now Europe’s number 1 downloaded rail app, with over 135 million monthly visits and £6.3 billion in annual ticket sales, we collaborate with 270+ rail and coach companies in over 40 countries. We want to create a world where travel is as simple, seamless, eco‑friendly and affordable as it should be. Today, we’re a FTSE 250 company driven by our incredible team of over 1,000 Trainliners from 50+ nationalities, based across London, Paris, Barcelona, Milan, Edinburgh and Madrid. With our focus on growth in the UK and Europe, now is the perfect time to join us on this high‑speed journey.

Join our dynamic team, where we focus on designing, implementing, and monitoring security controls to ensure a robust security posture in a fast‑evolving environment. As part of our mission to continuously improve and mature Trainline’s security capabilities, we work closely with cross‑functional teams, including Cloud Engineering, SRE, Platform Engineering, and more, to integrate the latest technologies and best practices into our products.

As a Product Security Engineer Analyst, you’ll contribute to the product security function by helping to embed security into our product development lifecycle, assist with vulnerability management, and work with cross‑functional teams to improve security practices across Trainline’s digital products.

What You’ll Do

• Support Secure Development
  • Support the integration of security practices across the product development lifecycle, helping teams design and build secure services and features.
  • Work with teams to promote secure‑by‑default and a shift‑left approach, ensuring security considerations are addressed early to reduce the risk and cost of fixing issues later.
  • Help integrate security checks (e.g., SAST, SCA, secret scanning) into CI/CD workflows to identify risks during development.
  • Assist in triaging and analysing findings from automated tooling, validating results, false positives, and partnering with engineering teams to prioritise and remediate security risks.
• Vulnerability Triage & Tracking
  • Review and triage incoming security issues from scans and bug reports.
  • Record, prioritise and help track remediation with developers and platform teams.
  • Contribute to vulnerability monitoring dashboards and reports.
• Learning & Threat Awareness
  • Participate in threat modelling sessions and documentation efforts.
  • Stay updated on common application vulnerabilities and security best practices.
  • Shadow senior engineers in code reviews and security design discussions.
• Security Advocacy
  • Help promote secure coding principles across teams by sharing guidance and resources.
  • Help improve developer adoption of security tools and best practices.
  • Support delivery of internal training sessions and documentation updates.
• Compliance and Standards
  • Assist with aligning product security practices with relevant security frameworks and standards (e.g., OWASP, NIST, ISO 27001, GDPR, PCI DSS).
  • Support regulatory compliance efforts and maintain evidence to meet audit requirements.

Who You Are

You are curious about how systems work and how they can be secured; bringing an aware consumer mindset that considers the intersection of technology, security, and product design.

Must Have

• Relevant education, training, or practical experience in cyber/information security or software engineering/development.
• Understanding of common security risks affecting applications, APIs, and distributed systems.
• Familiarity with secure coding principles, the software development lifecycle (SDLC) and threat modelling concepts.
• Exposure to security testing approaches such as SAST, DAST, or dependency scanning.
• Basic programming or scripting ability (e.g., Python, JavaScript, or similar) to support automation, analysis, or tooling.
• Interest in building or improving security tooling, automation, or developer workflows to help scale security across engineering teams.
• Strong analytical and problem‑solving skills, with the ability to analyse and assess security risks in application designs, code, or deployed systems.
• Ability to collaborate effectively with engineers and communicate security concerns clearly.

Nice to Have

• Bachelor’s degree in Computer Science, Cybersecurity, Information Security, or a related technical field.
• Experience using security tooling such as Burp Suite, OWASP ZAP, Semgrep, Checkmarx, OxSecurity, or Snyk.
• Exposure to security reviews, threat modelling, penetration testing concepts, or risk assessments.
• Familiarity with security frameworks and standards such as OWASP, ISO 27001, PCI DSS, or GDPR.
• Familiarity with modern development environments, including AWS, CI/CD security checks, and API security testing.
• Scripting experience (Python/Bash) and exposure to AI or martech ecosystems is a plus.
• Experience gained through security coursework, certifications, personal projects, security research, CTF competitions, bug bounty programs, or open‑source contributions is highly valued.

Candidates with software, data or platform engineering backgrounds with an interest in security are also encouraged to apply.

What You’ll Get

• The opportunity to work on large‑scale platforms used by millions of travellers across the UK and Europe, helping secure systems that support billions of pounds in annual ticket sales.
• Hands‑on experience across modern product security practices, including threat modelling, secure design reviews, software supply chain security, AI security considerations, and security automation within CI/CD pipelines.
• The chance to collaborate closely with experienced security, platform, and product engineers, gaining exposure to real‑world security challenges in a modern engineering environment.
• Opportunities to contribute to security research, experimentation, and tooling, helping improve Trainline’s security capabilities and developer security experience.
• Exposure to broader security initiatives across the organisation, including collaboration with other security functions and engagement with partners or vendors where relevant.
• A supportive environment focused on mentorship, continuous learning, and career growth, including access to learning budgets, training resources, and professional development opportunities.

Benefits

• Private healthcare and dental insurance.
• Generous work‑from‑abroad policy.
• 2‑for‑1 share purchase plans.
• EV scheme to reduce carbon emissions.
• Extra festive time off.
• Family‑friendly benefits.
• Learning budgets and professional development resources.

Our hybrid model requires you to work from the office a minimum of 60% of your time over a 12‑week period, and we also have a 28‑day work‑from‑abroad policy. Our values include Think Big, Own It, Travel Together, and Do Good. We believe diversity drives our success and we are committed to creating inclusive workplaces where everyone belongs.