Vulnerability Lead - Engine by Starling

Engine by Starling is on a mission to partner with leading banks worldwide to build rapid growth businesses on our technology. Engine is Starling's SaaS platform built to power Starling Bank, now operating as a separate business. Starling Bank has grown rapidly due to its modern technology built from the ground up. Our SaaS technology is available to banks and financial institutions globally to enable innovative digital features and efficient back-office processes. We work as an engineering-led company and seek someone excited by the potential for Engine’s technology to transform banking in different markets.

Hybrid Working

We have a hybrid approach to working; ideally you are located within a commutable distance of one of our offices to enable in-person collaboration.

We are seeking a passionate and experienced Vulnerability Lead to shape and lead the creation and ongoing operation of our vulnerability management program. This is an opportunity to establish a critical security function, define best practices, and enhance our overall security posture.

A key aspect is the end-to-end management and continuous improvement of the vulnerability management programme, including defining scanning strategies, risk-based triage and prioritisation, overseeing remediation, and providing actionable reporting to strengthen Engine’s security posture.

• Conduct vulnerability scans regularly and proactively as needed.
• Validate findings and apply a risk-based approach.
• Enrich findings with threat intelligence and business impact to determine exploitability.
• Enable resolver groups by triaging and prioritising vulnerabilities to facilitate timely resolution using a risk-based approach.
• Track and manage remediation through to closure with Technology and Security teams.
• Ensure timely patching of critical vulnerabilities in line with SLAs.
• Ensure visibility across the technology estate, including cloud environments.
• Coordinate scanning and coverage of data centre estate, cloud infrastructure, containers, mobile SDKs, and web apps.
• Process vulnerability data to provide reports, insights and metrics supporting risk-based vulnerability management.
• Identify and flag blind spots or gaps in scan coverage or asset inventory.
• Keep up with zero-day disclosures and emerging threats.
• Maintain and share dashboards and reports on vulnerability trends, KPIs, and SLA compliance.
• Review and update Vulnerability Management documentation to align with internal/external compliance requirements, industry best practices and emerging threats (e.g. ISO 27001, PCI DSS/3DS, SOC 2 and NIST).
• Help define scanning schedules, thresholds, and automation opportunities.
• Collaborate with DevSecOps/Product Teams to embed security scanning into CI/CD pipelines.
• Assist in evaluating new tooling and processes for better automation and risk tracking.

• Strong engineering and automation background with an interest in vulnerability management.
• Strong automation skills with CI/CD experience.
• Strong technical knowledge, including:
• Cloud experience (AWS, GCP)
• Kubernetes and container experience
• Infrastructure as code (Terraform)
• Dashboard creation, front-end experience
• Self-sufficient and able to be a trusted escalation point across teams.
• Ability to drive improvements to visibility and remediation workflows.
• 5+ years experience in vulnerability management, security operations, infrastructure security or security engineering.
• Familiarity with end-to-end vulnerability management lifecycle and related tools/platforms.
• Ability to work effectively with patching teams and coordinate remediation activities.
• Understanding of CVSS scoring, OWASP Top 10 and MITRE ATT&CK.
• Organised and able to track and report remediation activities across multiple teams.
• Ability to translate scan data into clear, risk-based reports for management.
• Partner with the information security risk management team on assurance activities.

• Practical experience in vulnerability management fields such as Vulnerability Intelligence, AppSec Vulnerability Management, or cloud-native vulnerability management.
• Experience with open source scanning tools such as Trivy or similar.

Interviewing is a two-way process. Our interviews are conversational and aim to help you learn about us as much as we learn about you. Expect a general structure after a chat with our Talent Team:

• Stage 1 - 45 mins with BISO
• Stage 2 - 60 mins with Peers
• Stage 3 - Final with CTO/Deputy CTO

• 33 days holiday (including public holidays, usable when it works best for you)
• An extra day’s holiday for your birthday
• Annual leave increases with length of service; option to buy or sell up to five extra days
• 16 hours paid volunteering time per year
• Salary sacrifice, company-enhanced pension scheme
• Life insurance at 4x salary & group income protection
• Private Medical Insurance with VitalityHealth including mental health support and cancer care; partner benefits include discounts with Waitrose, Mr&Mrs Smith and Peloton
• Generous family-friendly policies
• Incentives refer-a-friend scheme
• Perkbox membership with retail discounts and wellness platform
• Cycle to Work, Salary-Sacrificed Gym partnerships and Electric Vehicle (EV) leasing initiatives

You don’t need to tick every box. We’re open to discussion on flexible working and are committed to diversity and inclusion. Engine by Starling is an equal opportunity employer and welcomes applicants regardless of race, religion, national origin, age, sex, gender identity, gender expression, sexual orientation, marital status, medical condition, disability, or veteran status. By applying, you consent to our Privacy Notice and understand that your data will be processed for recruiting purposes in line with our privacy policy.