Principal Security Engineer – Enterprise Solutions | Application & Infrastructure Security
Role Overview:
The Principal Security Engineer – Offensive Security is an internal adversarial security practitioner embedded within Enterprise Solutions (ES). The role is responsible for independently testing and validating the security posture of ES applications, data platforms, and supporting cloud infrastructure.
This is a hands-on offensive security role, not a compliance or governance function. The engineer plans and executes red team operations, penetration tests, and adversarial simulations that reflect the techniques, tactics, and procedures of realistic threat actors – across application code, APIs, CI/CD pipelines, AWS infrastructure, multi-tenant platform boundaries, and AI/agentic system components.
Working in close partnership with ES product engineering teams, the role provides an independent adversarial perspective on implemented controls and remediations. Findings feed directly into the continuous improvement of security practices across ES engineering and inform risk decisions made by technology and business leadership.
Success is measured by the quality and realism of engagements, the reduction of exploitable risk in production systems, and the degree to which findings drive durable security improvement – not by volume of findings or compliance artifacts.
Key responsibilities:
- Plan and execute red team engagements and penetration tests against web applications, APIs, internal services, and AWS cloud infrastructure, scoped and executed with clear rules of engagement.
- Simulate realistic attacker TTPs aligned with threat intelligence and frameworks such as MITRE ATT&CK (Enterprise and Cloud), tailored to the organizational threat model.
- Perform cloud-specific attack path analysis including IAM privilege escalation, metadata service abuse, cross-account access, misconfiguration exploitation, and container or serverless escape techniques.
- Execute CI/CD pipeline attack simulations covering supply chain compromise, secrets exposure, artifact tampering, and pipeline misconfigurations.
- Assess and exploit vulnerabilities in authentication and authorisation mechanisms, business logic, APIs, and data handling processes.
- Test multi-tenant platform boundaries to identify cross-tenant data access paths, context confusion, and shared-resource leakage.
Security Control Validation & Remediation:
- Independently validate the effectiveness of security controls implemented by engineering and platform teams, providing evidence-based assessments rather than checklist verdicts.
- Re-test remediated vulnerabilities to confirm fixes are effective and do not introduce new risks
- Challenge security assumptions through realistic attack simulations and communicate the business impact of exploitable gaps clearly.
- Vulnerability Assessment & Research
- Assess AWS and cloud infrastructure through configuration review, privilege analysis, network exposure mapping, and detection gap identification.
- Assess data layer security including database access controls, ORM injection paths, data-tier privilege abuse, and financial data exfiltration routes.
Purple Team Collaboration:
- Partner with Security Operations and Detection Engineering during purple team exercises to evaluate detection coverage and alert quality, producing ATT&CK coverage mapping and detection gap analysis as standard outputs.
- Develop and share attack playbooks, indicators of compromise (IOCs), and detection recommendations informed by red team findings.
- Identify and communicate logging and monitoring gaps uncovered during engagements, with specific attention to agentic workflow and API observability blind spots.
Reporting & Communication:
- Produce clear, professional assessment reports documenting attack narratives, findings, supporting evidence, risk ratings, and remediation recommendations – framed in terms of regulatory exposure where relevant (SOC 2, MiFID II, DORA).
- Maintain and enhance the red team toolset including custom scripts, automation, and exploitation tooling aligned to the ES technology environment and threat model.
- Develop internal tooling where commercial or open-source tools do not adequately cover ES-specific attack surfaces, particularly around agentic and multi-tenant systems
Required Qualifications:
- 10+ years of hands-on experience in penetration testing, red teaming, or offensive security roles, with a track record of conducting full-scope assessments against complex, production systems.
- Demonstrated experience with application security testing including web applications, REST and GraphQL APIs, authentication and authorisation flows, and common vulnerability classes.
- Proven experience performing AWS cloud security assessments and exploiting cloud-specific attack paths including IAM, EC2, Lambda, S3, and ECS/EKS.
- Experience testing multi-tenant systems, with the ability to identify and exploit tenant isolation failures, context confusion, and shared-resource leakage.
- Experience assessing data layer security including database access controls, ORM injection paths, and data exfiltration techniques relevant to financial services environments.
- Experience assessing secrets management posture across repositories, CI/CD pipelines, environment configurations, and managed secrets services.
- Experience conducting threat modelling using STRIDE or comparable methodologies, including for AI/agentic system components.
- Proficiency in at least one scripting or programming language (Python, Go, Bash, or PowerShell) sufficient to develop tooling, automate assessments, and understand application code under review.
- Strong understanding of networking fundamentals: TCP/IP, DNS, TLS, and HTTP/S.
- Strong understanding of Active Directory and associated identity-based attack techniques.
- Experience assessing CI/CD platforms and identifying pipeline security weaknesses including supply chain and secrets exposure vectors.
- Working knowledge of offensive security tools including Burp Suite, Metasploit, BloodHound, Nmap, Nuclei, and cloud-specific tooling such as Pacu, ScoutSuite, and Prowler.
- Familiarity with defensive technologies including WAFs, EDR, SIEM platforms, and cloud-native security controls, sufficient to reason about detection gaps and evasion.
- Ability to produce high-quality assessment reports that clearly articulate technical findings, business impact, and regulatory exposure to both engineering and senior business audiences
Preferred Qualifications:
- Experience with container and Kubernetes attack techniques including RBAC abuse, privilege escalation, secrets extraction, and container escape.
- Familiarity with software supply chain and CI/CD attack vectors such as dependency confusion and artifact signing bypass.
- Experience with OAuth 2.0 and OpenID Connect attack scenarios including token misuse, redirect abuse, and scope escalation.
- Familiarity with API gateway and service mesh attack surfaces, including mTLS bypass and fine-grained authorisation abuse.
- Experience operating within a structured red team programme including scoping, rules of engagement, and deconfliction.
- Familiarity with MITRE ATT&CK (Enterprise and Cloud) for engagement planning, reporting, and detection gap analysis (e.g. ATT&CK Navigator, DETT&CT).
- Experience in regulated financial services environments, with an understanding of how SOC 2, MiFID II, DORA, or equivalent obligations shape risk framing and remediation prioritisation.
