Overview

Engine by Starling is on a mission to find and work with leading banks worldwide who want to build rapid growth businesses on our technology. Engine is Starling's SaaS business, built to power Starling Bank, and spun out as a separate company a year ago. Starling Bank has grown rapidly thanks to modern technology built from the ground up. This SaaS platform is now available to banks and financial institutions globally, enabling them to benefit from innovative digital features and efficient back-office processes that have driven Starling's success.

Our technologists are at the heart of Engine and thrive in a fast-paced environment focused on building, innovation, and disruptive fintech technology. We operate a flat structure to empower decision-making, with collaboration and support across the business. We value ownership, innovation, and teamwork.

To thrive at Engine, you should be self-driven and able to take full ownership of your work—from building and designing to sharing knowledge and ensuring processes are efficient and productive to deliver the best results for our customers. Our five values are: Listen, Keep It Simple, Do The Right Thing, Own It, and Aim For Greatness.

Hybrid Working

We have a hybrid approach; ideally you are located within a commutable distance of our offices to enable in-person collaboration.

About the role

As a Product Security Engineer at Engine, you will be a technical strategist responsible for proactively identifying and mitigating security risks across our platform and products. Your primary mission is to ensure we build secure systems by providing expert security analysis, architectural guidance, and process leadership. You will lead threat modelling sessions, conduct in-depth security reviews of new features, manage our penetration testing programme, and triage complex findings. This role requires a deep understanding of technology and attack vectors, combined with the ability to think strategically and communicate complex risks to both technical and non-technical stakeholders.

Engine by Starling engineers are excited about delivering new features, regardless of their primary tech stack. You can hear from the team in our latest Blog or see case studies with Women in Tech.

We are looking for an experienced Product Security Engineer to join our growing Security Engineering team, working closely with the GRC team and Engine Technology teams to ensure security is at the heart of all our technical processes. Your place within the team will depend on your strengths and interests.

This role covers a wide array of security areas across our multi-tenant SaaS cloud environments and internal infrastructure and will require a skilled individual to spearhead efforts in fortifying both infrastructure and application platforms against potential threats.

What you’ll get to do

• Conduct comprehensive security architecture and design reviews, ensuring security is embedded from the start
• Lead the threat modelling process (e.g., using STRIDE) for new products and features, identifying potential design flaws and defining security requirements
• Manage the end-to-end penetration testing lifecycle, from scoping engagements with technical teams to triaging, validating, and driving remediation of findings
• Analyse and interpret results from security tools (SAST, DAST, vulnerability scanners) to prioritise and address the most critical risks
• Act as a key security advisor to engineering teams, providing expert guidance on security best practices, vulnerability mitigation, and secure design patterns
• Translate regulatory requirements (PCI DSS, SOC 2, ISO 27001) into concrete technical controls and implementation plans in collaboration with the GRC team

• Lead incident response efforts, including investigation and remediation of security breaches
• Support our internal security awareness and training programs and advocate the DevSecOps mindset across our technology teams

What skills are essential

• Significant experience in a security-focused role with emphasis on risk analysis, threat detection, and architectural review
• Proven expertise in conducting threat modelling and security design reviews for complex, cloud-native applications (AWS/GCP, Kubernetes)
• Deep understanding of common vulnerabilities (OWASP Top 10, MITRE ATT&CK) and their mitigation
• Experience managing penetration testing engagements and working with development teams on remediation
• Mature understanding of cloud security architecture (AWS, Google Cloud)
• Ability to read and understand code (e.g., Go, Python) and Infrastructure-as-Code (Terraform) to analyse security risks
• Ability to document security requirements from various stakeholders
• Practical understanding of integrating security into the software development lifecycle
• Excellent communication skills to articulate complex technical risks to diverse audiences
• Understanding of incident response processes and Zero Trust principles
• Proactive approach to staying updated with the latest threats and mitigation techniques

What skills are desirable, but not essential

• Experience helping a company achieve and maintain compliance with SOC 2, ISO 27001, or PCI DSS
• Experience automating security controls and compliance checks against standards and frameworks including SOC 2, ISO 27001, PCI DSS/3DS
• Experience performing secure code reviews and using SAST/DAST tools
• Expertise in Kubernetes security, cluster and mesh security, networking best practices, and RBAC (CKA/CKS).
• Container security knowledge including image provenance (Sigstore, Notary) and container runtimes
• Strong understanding of network protocols, firewalls, IDS/IPS, and WAFs
• Understanding of integrating security into the software development lifecycle
• Experience with secure code reviews and SAST/DAST tooling
• Experience in cryptography management and enhancements
• Experience configuring cloud-native security logging, monitoring, and detection services
• Experience with Infrastructure as Code tools (CloudFormation, Terraform)
• Scripting and programming skills (e.g., Python, Go) for PoCs or small scripts
• Relevant security certifications such as ISC2 CC, CISSP, CCSP, CISM, AWS/GCP security certifications

Our Interview process

Interviewing is a two-way process. Our interviews are conversational, and we want you to have time to get to know us as we get to know you. Typically you can expect:

• Initial interview with our Staff Security Engineer (~45 minutes)
• Take-home technical task to discuss in the next interview
• Technical interview with some of our Security and Information Security team members (~1.5 hours)
• Final interview with our CTO/ deputy CTO (~45 minutes)

• 33 days holiday (including public holidays)
• Extra day for your birthday
• Annual leave increases with length of service; option to buy or sell up to five extra days
• 16 hours paid volunteering time per year
• Salary sacrifice, company pension
• Life insurance at 4x salary & group income protection
• Private Medical Insurance with VitalityHealth, mental health support, cancer care; partner discounts
• Generous family-friendly policies
• Refer-a-friend incentives
• Perkbox for retail discounts and wellness benefits
• Cycle to Work and EV initiatives

About Us

You may be put off applying if you don’t tick every box. We’re open to discussion on flexible working. If you’re excited about working with us but not sure, get in touch. We’re on a mission to reshape banking and value diverse backgrounds and experiences.

Engine by Starling is an equal opportunity employer and fosters diversity and inclusion. Our Privacy Notice explains how we process personal data for recruiting purposes, rights, and processing details.