Job Title: Security Analyst / Security Consultant Location: Remote (actually remote. No “mandatory culture days”) Salary: £55,000 + 10% Bonus and Benefits
Let’s skip the corporate fluff.
This is a Security Analyst / Consultant role for someone who gets it.
Someone who knows that “secure by design” isn't just something you write in a Confluence doc. Someone who knows risk isn’t always a red RAG status - and can explain the difference between a real issue and a theoretical one.
We're building secure products across a complex cloud environment (yes, both Azure and AWS). You’ll be the person making sure what we build isn’t just functional - but secure, sustainable, and risk-aware.
What you’ll actually be doing: Embedding yourself in engineering teams, making sure security is considered before, during and after development - not after someone clicks deploy. Leading the charge on application security - from secure coding principles to automated AppSec testing in CI/CD pipelines. Running (or helping run) threat modelling sessions and ensuring they're more than just drawing spiders on whiteboards. Working with devs and testers to embed security controls early in the lifecycle. Bringing DevSecOps principles into play - not just sprinkling tools into pipelines and calling it a day. Providing end-to-end security assurance of cloud-based products - containers, APIs, apps, infrastructure. Translating technical risk into business language that makes sense to non-technical decision-makers. Partnering with security testers to ensure ethical hacking, code reviews, infrastructure scans, and app assessments are done properly - not tick-box-style.
You should probably already know a bit about: Cloud security across Azure and AWS – IAM, storage, networking, serverless, containers, monitoring. Not expecting you to be a cloud architect, but you should know your way around. DevSecOps practices – secure pipelines, IaC security, dependency scanning, GitHub/Jenkins integrations. Application security – OWASP Top 10, SAST/DAST tooling, secrets management, API security. Threat modelling – Ideally STRIDE, or something better. And you can do it with a dev team, not just in theory. Vulnerability and risk management – and how to avoid both being reduced to spreadsheets. Frameworks like NIST, MITRE ATT&CK, Cyber Kill Chain, and compliance stuff like PCI-DSS. SIEMs, WAFs, DLPs, EDRs, and all the other acronym-heavy tools you’ve learned to assess critically.
You’ll do well here if: You speak fluent “tech” and “business”. You can spot a security gap without being a pain about it. You’re comfortable saying “no” - but you always explain why. You’re curious, self-driven, and allergic to box-ticking. You can back your views up with data, experience, or even just logic.
Letters & certs are nice (but not essential): Security+, CISM, CISSP, CCSK, CCAK, Azure/AWS security certs, MSc Cybersecurity, etc. Or you’ve just done the job long enough that you know your stuff without the need for badges.
Apply if that sounds like you. If you're looking for a clipboard and a checklist, this isn't it.
Read Less
