We're looking for a mid-level security engineer to join our small security team and work directly alongside our Head of Platform Security. This is a hands-on, execution-focused role. You'll contribute across the full security programme — compliance evidence, vulnerability management, and detection operations — doing real work in the tools every day.
This is not a strategy role. You'll be supporting and executing within a programme that's already defined. What we need is someone technically capable, detail-oriented, and comfortable operating across multiple domains without losing the thread on any of them.
What you'll be doing
Compliance
- Collect and maintain compliance evidence in our GRC tooling, keeping controls current and audit-ready
- Identify and flag control gaps before they surface as audit findings
- Support evidence requests across active compliance programmes and assist with auditor liaison as needed
- Maintain accurate, current entries in the risk register
- Management and upkeep of our GRC platform
- Create and maintain our Security policies
Platform Security
- Assist with building out platform security processes
- Triage vulnerability findings from our internal tooling,
- Create and track remediation tickets in Linear
- Follow up with engineering to drive findings to closure
- Complete Security questionnaires from potential customers
Operational Security
- Monitor and triage alerts from our SIEM; escalate genuine incidents with context and a recommended action, not just raw alerts
- Tune detection rules to reduce noise and improve signal quality
- Support incident response activities as they arise
- Implement Security controls
General programme support
- Support access reviews and identity governance hygiene
- Contribute to security documentation — policies, runbooks, and playbook updates
- Pick up ad hoc security programme tasks as directed by the Head of Platform Security
Requirements
Required
- 3–5 years in a security engineering, SecOps, or compliance engineering role
- Direct, hands-on experience with a compliance audit cycle — evidence collection, control testing, not just awareness
- Experience with SIEM tooling and alert triage — Wazuh, Splunk, Datadog Security, or equivalent
- Exposure working in AWS environments
- Strong written communication — able to produce a clear, concise risk summary without extensive direction
- Able to work independently across multiple workstreams without losing detail
Valued
- Experience across multiple compliance frameworks (SOC 2, ISO 27001, HIPAA, etc)
- Relevant certifications (CISSP, CISM, Security+, OSCP)
Who you are
- You treat compliance as an operational discipline, not a documentation exercise
- You can hold context across compliance, detection, and vuln management in the same week — and deliver on all of them
- You escalate with context: not just 'here's an alert' but 'here's what it means and what I recommend we do'
- You ask good questions and raise concerns early, rather than quietly working around them
- You're comfortable in a lean team where scope is broad and not everything is handed to you on a plate