Product Security Engineer

🔒 Confidential Employer
Posted 3 May 2026
LOCATION
Cambridge
TYPE
Full-time
LEVEL
Mid-Senior level
SALARY
£75,000 / year
CATEGORY
Cyber Security
This employer holds a UK Home Office sponsor license — sponsorship for this specific role is at the employer’s discretion

SKILLS

SAST/DAST Threat Modelling Application Security OWASP Top 10 AWS Docker C# Secure Coding

FULL DESCRIPTION

Product Security Engineer at [Employer hidden — view at passion-project.co.uk]

Location: Cambridge (Hybrid) | Salary: £60,000–£75,000 | Type: Full-time

Product Security Engineer

The Role

As a Product Security Engineer, you’ll embed security into the software development lifecycle across multiple product teams. You’ll help teams build, ship, and operate secure software by defining requirements, improving detection and prevention (SAST/DAST), assisting teams with application security governance, and running threat modelling.

Your Work at [Employer hidden]

  • Partner with engineering and product teams to define and operationalise security requirements across the SDLC (from design to release).
  • Audit application code for weaknesses and vulnerabilities.
  • Own or co-own application security governance practices: secure-by-default standards, patterns, guardrails, and exceptions/risk acceptance.
  • Drive SAST/DAST adoption and quality: tool tuning, triage workflows, severity calibration, and “fix-forward” enablement.
  • Support adoption of threat modelling for new features, architectural changes, and high-risk services—turning findings into actionable engineering work.
  • Provide product security guidance for cloud-native environments (AWS + containerised workloads), with an emphasis on secure service design and deployment practices.
  • Build strong relationships with product teams through clear communication, coaching, and security enablement.
  • Review and assist in the development of engineering policies aligned with security best practices.
  • Contribute secure shared libraries/paved-road components or perform targeted security testing/pentesting to validate controls.
  • Work with product teams to support implementation of AI, including LLMs, SLMs, and MCP.

What you bring to the table

  • Hands-on product/application security experience supporting engineering teams in a modern SDLC (requirements, design review, secure coding guidance, release support).
  • Strong knowledge of the OWASP Top 10 and practical mitigation patterns; familiarity with OWASP ASVS is a plus.
  • Experience implementing or improving SAST/DAST processes: tool selection/tuning, signal-to-noise reduction, and scalable remediation workflows.
  • Working understanding of cloud and container security fundamentals in an environment using AWS and Docker (and related CI/CD practices).
  • Comfort working across a primarily C# ecosystem (with some Java/Python), including the ability to review code and explain security issues clearly to developers.
  • Ability to translate security risk into actionable engineering priorities—balancing risk, delivery timelines, and operational realities.

Who you are

  • You’re pragmatic: you care about real risk reduction, not checkbox compliance or perfect theoretical security.
  • You communicate clearly and respectfully, able to influence without authority and build trust across multiple product teams.
  • You’re structured and evidence-driven: you document decisions, measure outcomes, and iterate based on what’s working.
  • You’re comfortable in ambiguity and can shape an approach when requirements, tooling, or ownership aren’t fully defined yet.

Salary and ways of working

  • £60,000 to £75,000 subject to experience
  • Flexible-hybrid working model (1 day every two weeks)

Tech / tool stack

  • C# / .NET (primary engineering ecosystem), React
  • Java (J2EE), TypeScript, and Python
  • AWS (cloud infrastructure and services), Docker (containerised workloads)
  • SAST/DAST tooling (specific products may vary; you’ll help tune and operationalise them)

Impact plan

30 Days

  • Onboard into [Employer hidden]’s products, SDLC, and delivery rhythms.
  • Get access to core systems and security tooling.
  • Shadow the Product Security Architect and sit in on ceremonies.
  • Triage a small set of findings with guidance.
  • Start building a knowledge base.

60 Days

  • Begin owning a defined slice of AppSec work with supervision.
  • Build working relationships with partner teams.
  • Start contributing to security reviews for new features.
  • Help improve signal-to-noise in SAST/DAST.
  • Support lightweight threat modelling sessions.

90 Days

  • Independently handle routine AppSec support.
  • Deliver tangible process improvements.
  • Demonstrate steady throughput on findings.
  • Contribute to a secure-by-default library/SDK.

How to apply

Apply below with a CV and covering letter. Apply for this job now

Please only apply for roles through our website, as we are unable to accept applications made by email. Take a look at our privacy policy to find out how your data is looked after. Achieving work-life balance has never been more important and so [Employer hidden] has adopted a flexible-hybrid model.

Sign up free — access 45,000+ UK sponsor-licensed jobs