Offensive Security Engineer

We’re here to make money work for everyone and we're doing things differently. For too long, banking has been obtuse, complex and opaque.

We want to change that and build a bank with everyone, for everyone. Our amazing community suggests features, test the app and give us constant feedback so we can build something everyone loves.

We're focused on solving problems, rather than selling financial products. We want to make the world a better place and change people's lives through Monzo.

What we’re looking for:  

This role sits within our Offensive Security Team, reporting into the Offensive Security Lead.

You will also be joining the wider Security Collective, a group of people passionate about making Monzo a safer place to work and bank with, to make money work for everyone.

At our core though, the Offensive Security team is made up of breakers, not makers. We find the vulnerabilities, prove exploitability, then work with the other teams to fix those problems. We aren’t developers, so we provide advice to mitigate issues, but don’t start coding fixes.

What you’ll be doing:

The work we do within the Offensive Security team is varied, but all involve hacking in one way or another. This can include reviewing the architecture of a system for security design flaws, threat modelling systems to identify and prioritise threats, and pentesting systems to simulate adversarial behaviour.

We also work alongside our defensive security teams in purple team exercises with the goal of improving our detection and response capabilities, whilst also increasing our own skills at evading such controls.

The ideal candidate will be passionate about security testing and able to get into the mindset of an attacker. You’ll be able to plan and execute penetration tests and simulated attacks, and effectively communicate risks to the business.

We’re particularly keen to hear from Offensive Security Engineers with experience testing the following:

• Microservices hacking (Docker and Kubernetes)
• Cloud hacking (AWS and GCP in particular)
• DevOps hacking

In addition to performing penetration tests on some of the newest and most exciting technologies, the role also reserves time for research and development, which is actively encouraged.

Reporting to the Offensive Security Squad Lead, you'll work closely with the security function as well as the rest of the business to help reduce the likelihood of security vulnerabilities negatively impacting Monzo or our customers.

Your day-to-day

As part of this role you’ll:

• Help scope and execute:
• Penetration tests
• Purple Team engagements alongside the Blue Team to test specific security controls
• As well as:
• Offer technically sound and considered remediation advice
• Effectively communicate findings and remediation advice to the business
• Work with the owning squads to triage identified vulnerabilities
• Research and develop cutting edge tools, techniques and exploits specific to our environments and services
• Work collaboratively and independently on specialised engagements
• Help Monzo meet and surpass regulatory requirements for information security
• Help manage the validation and triage of vulnerabilities from our bug bounty platform
• Act as SME for squads outside the security collective who need advice on penetration testing or offensive security

You should apply if:

• 5+ years experience in security testing or penetration testing
• An industry recognised qualification such as CREST CCSAS, CCT (APP or INF), OSCP, OSCE or other equivalent
• Experience using the MITRE ATT&CK framework for adversary simulations
• Knowledge of MacOS C2 frameworks and hacking techniques
• Experience with Programming/Scripting languages: Objective-C, GoLang, Bash, Python, JXA
• The ability to think outside the box and apply creative thinking to problem solving
• An inquisitive and curious nature
• Experience performing security assessments on the following:
• macOS
• Kubernetes
• AWS
• GCP
• Mobile Applications
• Web Applications
• APIs

The Interview Process:

Our interview process involves three main stages: 

• Recruiter Call (30mins)
• Initial Call (30 mins)
• x2 interviews via Google Meet (x2 60mins)

Our average process takes around 3-4 weeks but we will always work around your availability. 

You will have the chance to speak to our recruitment team at various points during your process but if you do have any specific questions or want to talk through reasonable adjustments ahead of or during application please us at any point on [email protected]

What’s in it for you:

💰Salary is dependant on experience ➕ stock options 

📍This role will be based out of our London office next to Liverpool Street station in a hybrid approach of office based and home working or on a fully remote basis

⏰We offer flexible working hours and trust you to work enough hours to do your job well, at times that suit you and your team.

📚Learning budget of £1,000 a year for books, training courses and conferences

➕And much more, see our full list of benefits here 

Equal Opportunity Statement