Cloud Security Engineer

DevSecOps Engineer
About the Role
We are looking for a hands-on DevSecOps Engineer to own our end-to-end vulnerability management
process and drive security across our cloud-native platform. This is a technical, ownership-heavy role
sitting at the intersection of security engineering and platform engineering.
You will be responsible for identifying, triaging, remediating, and reporting on vulnerabilities across our
application stack, container images, and cloud infrastructure. You will work closely with our Compliance
Manager to ensure our security posture meets compliance requirements and that risk is understood,
documented, and managed appropriately.
This is not a monitoring-only role. We expect you to roll up your sleeves, open pull requests, fix Dockerfiles,
bump package versions, modify CI/CD pipelines, and own the fix through to deployment and verification.
What You Will Be Doing
Vulnerability Management
• Own the end-to-end vulnerability management lifecycle — discovery, triage, prioritisation, remediation
tracking, and closure
• Manage and maintain the vulnerability backlog, ensuring SLAs are tracked and met
• Triage findings from automated scanning tools and apply contextual risk judgement — not every critical
CVE is equally critical in every context
• Produce regular vulnerability reports and risk dashboards for internal stakeholders and the
Compliance Manager
• Document risk acceptance decisions, mitigating controls, and remediation timelines
Vulnerability Remediation
• Remediate vulnerabilities directly — bumping dependency versions in package manifests (npm, pip,
Maven, Go modules etc.), updating base images, fixing misconfigurations
• Update and harden Dockerfiles — base image selection, multi-stage builds, non-root users, minimal
attack surface
• Work within our Git-based workflow — raise PRs, participate in code review, deploy and verify your own
fixes end to end
1
Container & Application Security
• Integrate and maintain container image scanning in CI/CD pipelines (Trivy, Snyk, Grype or equivalent)
• Integrate Software Composition Analysis (SCA) and Static Application Security Testing (SAST) tooling into
pipelines
• Define and enforce quality gates that prevent vulnerable or non-compliant images from reaching
production
• Identify vulnerable third-party dependencies and work through remediation with engineering teams
Kubernetes & AWS EKS Security
• Harden and maintain the security configuration of our AWS EKS clusters
• Implement and maintain Kubernetes RBAC, Pod Security Standards, Network Policies, and admission
controls
• Manage secrets securely — AWS Secrets Manager, External Secrets Operator, or equivalent
• Ensure IAM roles for service accounts (IRSA) are correctly scoped and maintained
• Monitor and respond to runtime security events using tooling such as Falco
Cloud Infrastructure Security
• Maintain and improve AWS security posture across the platform
• Work with AWS-native security tooling — Security Hub, GuardDuty, Inspector, IAM Access Analyzer
• Identify and remediate misconfigurations in Infrastructure as Code (Terraform, Helm)
• Apply least-privilege principles consistently across IAM, service accounts, and workload identities
CI/CD Pipeline Security
• Own and evolve the security gates within our CI/CD pipelines
• Implement automated scanning for containers, dependencies, IaC, and secrets
• Ensure pipelines enforce policy as code — fail fast on critical findings
• Be comfortable modifying pipeline configuration (GitHub Actions, GitLab CI or equivalent) to introduce
or improve security controls
Compliance & Risk
• Work alongside the Compliance Manager to translate technical vulnerability findings into compliancerelevant language and evidence
• Produce and maintain risk assessments for identified vulnerabilities and infrastructure risks
• Contribute to audit evidence collection and compliance reporting cycles
• Support the maintenance of security policies and standards documentation
2
What We Are Looking For
Essential Skills & Experience
• 4+ years of experience in a DevSecOps, Cloud Security, or Security-focused SRE role
• Demonstrable hands-on experience with vulnerability management — not just tooling but owning
the full lifecycle
• Strong experience with container security — image scanning, Dockerfile hardening, base image
management
• Real-world AWS EKS and Kubernetes security experience — RBAC, Network Policies, Pod Security
Standards, admission controllers, IRSA
• Confident working with AWS security services — Security Hub, GuardDuty, Inspector, IAM, KMS, ECR
• Experience integrating security tooling into CI/CD pipelines and defining security quality gates
• Ability to make direct code and configuration changes — comfortable opening PRs to fix dependency
versions, Dockerfiles, and IaC
• Understanding of CVSS scoring, exploitability context, and risk-based prioritisation
• Experience writing or contributing to risk assessments and risk acceptance documentation
• Strong communication skills — able to translate technical findings for a compliance or non-technical
audience
Desirable Skills & Experience
• Experience with Kubernetes policy engines — Kyverno, OPA/Gatekeeper
• Experience with runtime security tooling such as Falco
• Familiarity with GRC or compliance platforms — Drata, Vanta, or similar
• Experience with secrets management tooling — External Secrets Operator, HashiCorp Vault, AWS
Secrets Manager
• AWS certifications — Security Specialty, Solutions Architect, or equivalent
• Exposure to compliance frameworks — SOC 2, ISO 27001, CIS Benchmarks
Technologies You Will Work With
Area Tools / Technologies
Vulnerability Scanning Trivy, Snyk, Grype, AWS Inspector, Dependabot
SAST / SCA Snyk Code, Semgrep, Checkov, KICS
3
Area Tools / Technologies
Kubernetes Security Falco, Kyverno, OPA/Gatekeeper, kube-bench
AWS Security Security Hub, GuardDuty, IAM Access Analyzer, KMS, ECR
CI/CD GitHub Actions, GitLab CI, ArgoCD or Flux
Infrastructure as Code Terraform, Helm
Secrets Management AWS Secrets Manager, External Secrets Operator
Ticketing / Reporting Jira, and a GRC platform
What We Offer
• A genuinely ownership-heavy role — you will drive security decisions, not just implement them
• Close collaboration with engineering, platform, and compliance teams
• A modern, cloud-native stack built on AWS EKS
• A culture that treats security as an engineering problem, not a checkbox
• Competitive salary and benefits package
• [Add your specific benefits here]
How to Apply
We are an equal opportunities employer and welcome applications from all backgrounds