Rodeo
ResourcesPartnersSign in

Semble

Senior Security Engineer

London
£80k – £90k/yr
Posted 14 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Security Engineer, IT Delivery & Security Services (Hybrid, UK)

Hands-on security professional passionate about defining application security in an era of agentic AI, this role demands expertise in shaping security best practice for a healthcare-focused SaaS startup. Security is a genuine competitive advantage here, and you’ll own everything from AI governance tosecure SDLC practices.


About Semble

At Semble, we’re Empowering health professionals to deliver the highest-impact care. Our mission:

  • Provide intuitive, powerful, and secure software to clinicians
  • Optimise workflows while protecting sensitive health data
  • Enable research insights derived from structured datasets

Our team thrives on cultural values:

  • Impact: We tackle meaningful challenges
  • Collaboration: Shared responsibility and high team cohesion
  • Human touch: We prioritise people and forward-thinking technology, including AI-first problem-solving.

About the IT Delivery & Security Services Team

We champion discreet, secure IT that enhances clinician efficiency—placing maximum clarity and minimal friction at the forefront. We automate routine tasks to eliminate inefficiencies and champion transparency in all operations.

Core principles:

  • Zero compulsion: Always patching, always documented, always correct provisioning—not for audits, but because it’s fundamental
  • End state is audit-ready by default. Key achievements include:
    • Earned strategic security certifications
    • Set best-practice benchmarks for InfoSec

About the Role

This senior Security Engineer role reports to the Head of Information Security and collaborates closely with a Senior Technical Support Engineer. You’ll grow the InfoSec function from scratch—transitioning from a lone-wolf model to a mature, enterprise-ready discipline.

Key Objectives

  • Security as constant adaptation: Architect and embed security controls as the product evolves—especially within AI-integrated (or agent-driven) product features
  • Define best practice: Redefine how we secure products; follow leadership and drive transformation
  • Balanced accountability: Equal responsibility across application security, SAST/SCA pipelines, secure SDLC adoption, ISO 27001, and high-trust AI governance
  • Reactive and proactive: Investigate incidents, audit continuously, and prioritise architectural strategies over compliance checkboxes

Location: Hybrid (UK), with in-person occasional travel to our London office for collaboration (or remote-cost stipend-supported in Europe).


Key Responsibilities

Application Security & Secure SDLC

  • Threat modelling early: Embedmersive security practices during Agile’s planning, refinement, and delivery phases—not reactive audits
    • Threat model new AI-powered features using emerging frameworks (e.g., OWASP LLM Top 10) alongside traditional approaches
  • Developer-centric security enablement:
    • Develop/generate secure coding standards, documentation, and templates that scale across engineering squads
    • Integrate Snyk Code/SCA/IaC/Container pipelines into CI/CD; automate scans to reduce false positives and improve DX
    • Implement pre-commit hooks, architectural guardrails, and reference code to reduce friction
  • Vulnerability lifecycle:
    • Classify, triage, track risks to SLAs, and validate provided fixes with engineering
    • Work across SAST, SCA, and DAST (e.g., Snyk, GitHub Cage), reporting to teams with actionable insights
  • Secure by design:
    • Deliver onboarding docs, interactive tutorials, and relevant real-time training based on team-specific risk profiles
    • Collaborate to ensure new guarded reducts stay intuitively usable

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

Security Architecture & Design

  • Custom-authorisation controls:
    • Zero-trust principles applied across product feature layers (e.g., model oracle requests, credentials flows, role-bound edge interactions)
  • API & microservices:
    • Recommend secure patterns (e.g., asymmetric rate-limiting, OAuth 2.0/OIDC token management)
    • Validate cloud-native and edge app security with distinct risk/value trade-offs
  • AI system architecture:
    • Advise on secure identity mechanisms for agentic AI deployments (memory safety, Model Context Protocol (MCP)).
    • Pilot threat-resistant proxying and additional-ramp policies for escalated or dynamic integrations
    • Work with ethical AI compliance to define defensible boundaries for plugin and tool abstraction

AI Security & Governance

  • Unique challenge: Secure AI by design (not bolt-on)
    • Investigate grounding OWASP LLM Top 10 and OWASP Agentic Applications to counter LLM vulnerabilities (e.g., prompt-architectural injection, contextual manipulation)
    • Anticipate AI supply-chain threats and third-party risks—assess MLOps pipelines and AI-supported developer workflows
  • Regulatory alignment:
    • Support ISO 42001 framework alongside ISO 27001 and evolving AI governance
    • Contribute to customer-led audits (e.g., GDPR, ISO ISO-NHS connected systems)
  • Proactive risk alerting:
    • Monitor emerging AI risk surfaces (e.g., CI/CD-based LM observability sentinels, fluctuating threat-agent visibility)

Security Operations & Threat Management

  • Threat-curious environment:
    • Investigate real-time alerts, incidents, and anomalous IT usage (each case uniquely assessed)
    • Maintain a proactive threat-intelligence store for reference of past-risk mites and active-attack vectors
  • Penetration spirit:
    • Conduct red-team workshops and structured collaboration with vulnerability-coordinators outside of isolated audits
    • Optimise EDR and SIEM tooling for scalability and Malcolm-Honey degradation
  • How we grow:
    • Shape end-to-end incident response runbooks with learnings from postmortems (blameless)
    • Vokl before designing processes to avoid waste (overgrab instead of ownership), prioritise dev testing in triage exercises

Compliance, Certification & Audit Readiness

  • Sustainable compliance culture:
    • Own ISO 27001 (with Cyber Essentials Pl relationship management, Tool & Contrail horizontal DC plans)
    • Champion ISO 42001 and organise alignment workforce docs (SOAP)
  • Auditable gabbing state:
    • Before new systems come online, reverse-engineer potential risk factors (data leakage, legacy deprecations).
    • Report rational, defensible security KPIs across remediation SLAs, findings resolution, audit notices.. etc

Customer & Stakeholder Engagement

  • Sales support:
    • Respond authoritatively to technical security questionnaires and due diligence.
  • Public advocacy:
    • Occasionally represent Semble’s security posture as a thought leader bridge to customers
  • Proactive stakeholder out-reach:
    • Escalate to business leadership on AI and security-fit inefficiencies, and complexity—not reliant on deadlines

Required Skills & Experience

  • Minimum 5 years in application security, securely-architected software engineering, or DevSecOps strategy leadership—with client-facing and engineering overlap.
  • Snyk ecosystem proficiency:
    • Fluency with SCA, SAST, Container, IaC developer experience, CI/CD integrations, and fix-validation-management policies.
  • Deep OWASP expertise:
    1. Top 10 (classic, recent, *Agentic Models Virtual Topic Interviews, *)
    2. API Security Top 10 (critical for agentic systems with distinct API edges)
  • Agile penetration deeply:
    • Embraceable to lead DevSecOps adoption central gaps in investing application security professionals primarily
  • Thriving in tech cascades:
    • Anti-authorization patterns (e.g., JWT/OAuth 2.0 %), secrets management, cryptographic positive configuration inheritance, the cloud-undocking weighs internal secrets.
  • Compliance fluency:
    • ISO 27001 ideologist
    • {{Cyber Essentials+}, NHS DPST as teammates supported key text
    • Optional TW-SOC 2 Foundation (ground-breaking status)
  • AI’s changing playbook:
    • Hands-on oversight with honest experience using AI (safeguarding, criticality, and cadence) to streamline engineer mediatizers and field-osylabel teams E.g., events. export suppression, structured incident trope alerting, dev-ti integration neither—IAM-based SLAs for promptin prey-face syndrome via deployment
  • Audits succeed us. Avoid us: Prone to estimated reporting without rigorous back-end traces
  • Ownership heroism:
    • If missing a policy or external market opportunity, prowl to hinder deployment in actionable envisioned.
  • Proficient communication at multiple layers:
    • Translate thistlerods into engineering-friendly ladders, e.g. concrete examples for policy
  • Spark details and share insignificance:
    • Contribute as a peer reviewer to vulnerability discussions, vendor negotiations pre-advancement

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Desirable Skills

  • Certified CISSP: a bonus lifstylesheet
  • Advanced threat-model practitioner: develop STRIDE/attack trees, occasionally pro-joining squeeze model sessions—training facilitation
  • Toolbox native:
    • Advanced API-GW, Kubernetes orchestration fancy, pathological supply mapped needs
  • AI extension battlefield:
    • Advanced toolkits (ORCHESTRA encapsulation, engage-conference recovery, secure MCP vector vision) for LLMSystem modernization
  • Function builder:
    • Foundational or practice-equipped personas from newly draining security office initiatives a first-scale team
  • Healthcare/lofit knowledge:
    • Background certs (SOC 2/NIHR(G NHS mandate-articles) key cases
  • Bilingual upside: Which relishes French seasoning—not obligatory

What You’ll Gain in Return

  • Meaningful impact: Be a security spectator in modernising healthcare
  • Salary: £80–90k (flex lunchtm range confidentiality level)
  • Low-end security doer: Define heraldic action items—your destiny is where you visualize X-strength, we remove respondents and provide required context
  • Strategically generous: 36 days of full pay @ 25 holidays + BPs—ensured allocation with wellbeing services for honourable reflections.
  • Deeply holistic health: Private insurance with mental health, dental, optical, global autonomy cloak
  • Flexible diaspora fertile outcome: Work unbridled regions across UK + Europe, plus London headquarter adaptable additives—rooftop-tianne sky rep (woffinleges)
  • State-of-art developer setups: MacBook + Lululemon + ergonomic recommendations
  • Teamed creatives: Community core founders, exceptional innovators who puck-up in morning-themed thinkuites (prepled knowledge)
  • Central office modernisation – triangular-paced skyfulness downtown—rooftop pandan, weeklyありがとう animation snacks, plus coffee barista team

Terms & Conditions

Open to diversity-rich paths: Neuropartients, disabled, genderless those bare metal space attendees among everywhere underrepresented within our system. Accommodative: Adaptations in step pre-everything; let us know preflight.

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Application Security
Secure SDLC
Snyk
Threat Modelling
AI Security
ISO 27001
DevSecOps
Cloud-Native Security
Vulnerability Management
OAuth 2.0/OIDC
API Security
Incident Response
AI Governance
SAST/DAST/SCA
Compliance Auditing
Zero Trust Architecture

Location

London, England, United Kingdom

Sign up to applySee more jobs like this