Role Purpose:
The Bank is seeking a senior security engineer to strengthen its offensive security capability while contributing to the security of the software delivery pipeline and cloud/AI tooling adoption. The role is anchored in red teaming and penetration testing, with working-level responsibility for DevSecOps and cloud security, and exposure to AI/LLM security as an emerging area.
Note: this role is not evenly split across four disciplines. Candidates should have demonstrable depth in offensive security, with practical (not theoretical) exposure to the others.
Key Responsibilities
Offensive Security — Primary (40%)
- Plan and execute red team engagements: adversary simulation, C2 infrastructure (Cobalt Strike, Sliver, or similar), campaigns mapped to MITRE ATT&CK
- Conduct penetration testing across web applications, APIs, mobile apps, internal/external network, and wireless
- Design and run social engineering / phishing simulation exercises
- Run purple team exercises in coordination with the SOC/blue team to validate detection coverage
- Produce CBK CORF-aligned findings reports and remediation guidance suitable for regulatory review
- Conduct security assessments, vulnerability assessment and penetration testing on different environments but not restricted to
- Network assessment and penetration testing
- Cloud assessment and penetration testing
- Endpoint assessment and penetration testing
- Application assessment and penetration testing, focusing on Web, API (SOAP and RESTful)
- Mobile assessment and penetration testing
- Align with third party vendors on annual VAPT programs and coordinate with other stakeholders
- Plan and preform adversary simulation campaigns internally and coordinating with third party vendors
DevSecOps — Secondary (25%)
- Integrate SAST, DAST, and SCA tooling into CI/CD pipelines
- Perform Infrastructure-as-Code security review (Terraform, CloudFormation, ARM templates)
- Conduct secure code review and threat modeling for new applications
- Support container and Kubernetes security hardening
AI Security — Emerging (35%)
- Conduct adversarial testing of internally deployed AI/LLM tools (prompt injection, data leakage, model behavior under abuse)
- Assess security posture of AI development tooling adopted by engineering teams (e.g., AI coding assistants, MCP integrations)
- Evaluate AI-assisted vulnerability triage/SAST tooling for reliability and false-positive risk
Required Qualifications
- 5–10 years in information security, with demonstrable depth in at least two of the four areas above — not surface-level familiarity with allfour
- At least one recognized offensive security certification: OSCP, OSCE/OSCE3, CRTO, or GPEN.
- Proficiency in scripting/automation: Python, Bash, PowerShell
- Working knowledge of CI/CD tooling: Tekton CI, Jenkins, or Azure DevOps
- Familiarity with regulatory/compliance frameworks relevant to banking (CBK CORF, PCI-DSS, or NIST CSF)
Preferred Qualifications
- Cloud security certification: AWS Security Specialty, Azure Security Engineer Associate, or CKS
- Prior experience in financial services or another regulated industry
- Bug bounty track record or competitive CTF experience
- Exposure to adversarial ML / AI red teaming research
Soft Skills
- Ability to translate technical risk into business/regulatory language for non-technical stakeholders and examiners
- Strong written reporting discipline — findings must be audit-ready without heavy rework