Rodeo
ResourcesPartnersSign in

WPP

Product, Application and Offensive Security Lead

United Kingdon
Posted 1 day ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Product, Application and Offensive Security Lead

WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth.

We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.

Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow.

For more information, visit WPP.com.

Product, Application and Offensive Security Lead

The Product, Application and Offensive Security Lead is responsible for embedding security directly into the design, development, testing and operation of DTS products and platforms. This is a hands-on security engineering role. The role requires someone who can work directly with product and engineering teams, review designs, assess APIs, run threat models, test systems, coordinate penetration testing, identify vulnerabilities, and help teams remediate issues.

The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled workflows, and client-facing services are designed, built and tested securely. It also owns the practical offensive security and adversarial assurance activity needed to test DTS products from an attacker’s perspective.

The Product, Application and Offensive Security Lead will work closely with Product, Engineering, Architecture, Infrastructure, Security Operations, Privacy, Cloud and Platform Security, and the ISMS and Risk Officer to ensure security issues are identified early, fixed effectively, and tracked through governance where required.

Key Responsibilities

  1. Hands-on product and application security

    • Provide hands-on security support across DTS products and engineering teams. This includes:
      • Reviewing product designs, technical designs, APIs, services and integrations.
      • Identifying security weaknesses in applications, workflows and data flows.
      • Advising engineering teams on secure implementation.
      • Supporting secure design decisions during product discovery and delivery.
      • Helping teams resolve security issues pragmatically without creating unnecessary delivery friction.
  2. Secure software development lifecycle

    • Embed security into the software development lifecycle across DTS. This includes:
      • Defining and applying secure engineering standards.
      • Supporting secure coding practices.
      • Reviewing CI/CD security controls.
      • Supporting SAST, DAST, SCA, secrets scanning, dependency scanning and container scanning.
      • Helping teams triage, prioritise and remediate security findings.
      • Working with engineering teams to make security checks practical and repeatable.
  3. Threat modelling and security design reviews

    • Run threat modelling and security design reviews for new and changed capabilities. This includes:
      • Facilitating threat modelling sessions with engineering and product teams.
      • Reviewing authentication and authorization designs.
      • Assessing API exposure, data flows, trust boundaries and abuse cases.
      • Identifying risks around tenant isolation, privilege escalation, data leakage and misuse.
      • Documenting key findings, recommendations and residual risks.
  4. Offensive security and adversarial testing

    • Carry out and coordinate offensive security testing across DTS products and platforms. This includes:
      • Performing hands-on security testing of products, APIs and workflows.
      • Coordinating external penetration tests.
      • Supporting red team and purple team exercises where required.
      • Testing abuse cases and attacker paths.
      • Testing access control, authentication, authorization and data leakage risks.
      • Validating remediation of security findings.
      • Feeding material risks into the ISMS and Risk Officer for tracking.

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

  1. API, integration and data product security

    • Provide security assurance for APIs, integrations and data products. This includes:
      • Reviewing externally exposed APIs and partner integrations.
      • Assessing rate limiting, authorization, tenant isolation, logging, abuse prevention and data leakage controls.
      • Supporting secure integration between InfoSum, Open Intelligence, Resolve, WPP Open and third-party platforms.
      • Reviewing data product workflows for misuse, excessive access or unintended exposure.
      • Working with Privacy Engineering on privacy-sensitive APIs, algorithms and outputs.
  2. AI and agentic security testing

    • Provide hands-on security review and adversarial testing for AI-enabled and agentic capabilities. This includes:
      • Testing prompt injection, tool misuse, data leakage and excessive agency.
      • Reviewing how agents access APIs, data, tools and workflows.
      • Testing whether agent permissions can be bypassed or escalated.
      • Assessing action boundaries and human approval points.
      • Working with Identity, AI and Data Access Governance to validate agent access models.
      • Documenting AI and agentic security risks and remediation actions.
  3. Vulnerability triage and remediation support

    • Help teams understand, prioritise and fix security vulnerabilities. This includes:
      • Reviewing vulnerability findings from scans, penetration tests, code reviews, cloud tools and external reports.
      • Prioritising findings based on exploitability, exposure, data sensitivity and business impact.
      • Working directly with engineers to define remediation options.
      • Validating that fixes are effective.
      • Supporting exception and risk acceptance decisions where remediation is delayed.
      • Ensuring significant issues are visible through the DTS risk process.
  4. Engineering enablement and security coaching

    • Act as a practical security partner to engineering teams. This includes:
      • Providing secure implementation guidance.
      • Creating lightweight security patterns and examples.
      • Coaching engineers on common application, API and AI security risks.
      • Helping teams understand the “why” behind security requirements.
      • Supporting a culture where security is part of product quality, not a separate approval gate.

Key Accountabilities

The Product, Application and Offensive Security Lead will be accountable for:

  • Hands-on application and product security support across DTS.
  • Secure SDLC guidance and practical adoption.
  • Threat modelling and security design reviews.
  • API, integration and data product security reviews.
  • Offensive security and adversarial testing activity.
  • AI and agentic security testing.
  • Vulnerability triage, remediation guidance and fix validation.
  • Coordination with ISMS/Risk to ensure material risks and exceptions are tracked.
  • Helping engineering teams build secure systems without unnecessary delivery drag.

Skills and Experience

The successful candidate will have:

  • Strong hands-on experience in application security, product security, offensive security, security engineering or penetration testing.
  • Good understanding of modern software engineering, APIs, SaaS platforms, distributed systems and cloud-native applications.
  • Experience with threat modelling and secure design reviews.
  • Practical knowledge of common application and API security risks, including authentication, authorization, tenant isolation, injection, data leakage, privilege escalation and supply chain risk.
  • Experience using security testing tools and techniques across web applications, APIs, cloud services and CI/CD pipelines.
  • Familiarity with SAST, DAST, SCA, secrets scanning, dependency scanning and vulnerability management workflows.
  • Experience working directly with engineers to remediate findings.
  • Understanding of AI and agentic security risks would be highly valuable.
  • Ability to communicate clearly with engineering, product, architecture, security and leadership stakeholders.
  • A pragmatic, delivery-aware approach to security.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Leadership Expectations

The Product, Application and Offensive Security Lead is expected to:

  • Be hands-on and technically credible with engineering teams.
  • Act as a trusted security partner, not just a reviewer or approver.
  • Challenge insecure designs constructively.
  • Help teams find practical ways to reduce risk.
  • Prioritise issues based on real-world exploitability and business impact.
  • Work across multiple DTS product areas without becoming a delivery bottleneck.
  • Escalate material risks clearly through the appropriate governance routes.
  • Promote secure engineering habits through practical guidance and example.

Success Measures

Success in the role will be measured by:

  • Security being embedded earlier in product and engineering delivery.
  • Reduction in high-risk application, API and product vulnerabilities.
  • Regular threat modelling and security reviews for critical DTS capabilities.
  • Effective offensive and adversarial testing of products, APIs and workflows.
  • Faster remediation of penetration test and security testing findings.
  • Improved security assurance for AI and agentic workflows.
  • Engineering teams receiving practical, actionable security guidance.
  • Material security risks being surfaced and tracked through the DTS risk process.
  • Security being viewed by engineering teams as an enabler of trusted delivery rather than a blocker.

You're open

  • We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views.

You're optimistic

  • We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.

You're extraordinary

  • We are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day.

What we'll give you

  • Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.
  • Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry.
  • Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge?

#LI-Hybrid

We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process.

WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Application Security
Offensive Security
Penetration Testing
Threat Modelling
Secure SDLC
API Security
AI Security
Vulnerability Management
SAST
DAST
SCA
Cloud-Native Security
Security Engineering
Adversarial Testing
Identity and Access Management
Risk Governance

Location

United Kingdom

Sign up to applySee more jobs like this