Offensive Security Engineer
| Posting date: | 10 December 2025 |
|---|---|
| Hours: | Full time |
| Closing date: | 09 January 2026 |
| Location: | Reading, Berkshire |
| Remote working: | Hybrid - work remotely up to 2 days per week |
| Company: | CHAMP Cargosystems UK Ltd |
| Job type: | Permanent |
| Job reference: |
Summary
We are looking for an Offensive Security Engineer to join our Security & GRC team.
The role will be reporting to the Security Architect.
Location: Reading, UK
Responsibilities :
We are seeking a Offensive Security Engineer to establish and guide our Product Security Team. The successful candidate will drive our penetration testing capability, our secure software development practices, oversee vulnerability remediation, and build automated offensive security capabilities integrated into our agile CI/CD environment. Working within the SCRUM methodology, the Offensive Security Engineer will ensure that security is embedded into every sprint, release, and product lifecycle stage. As our SaaS products are primarily developed in Java-based web applications, the ideal candidate will bring hands-on experience in software development and a strong understanding of secure coding practices in Java and modern web technologies.
Security Governance & Development Enablement
Establish secure coding standards, reusable libraries, and best practices for Java web application development.
Collaborate with product owners and developers to integrate security requirements into user stories.
Provide guidance on threat modeling and secure design during sprint planning.
Ensure security tasks are prioritized alongside functional requirements in the agile backlog.
Offensive Security & Testing
Build and oversee internal penetration testing capabilities for web applications and APIs.
Ensure each release in the CI/CD chain undergoes automated and manual security testing.
Expand testing scope to infrastructure and cloud environments as maturity grows.
Continuously simulate attacker techniques to validate product resilience.
Tooling & Automation
Drive adoption of SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) solutions, with emphasis on Java and web application frameworks.
Integrate automated security testing into CI/CD pipelines.
Oversee development of unit test frameworks with embedded security checks.
Compliance & Reporting
Align product security practices with compliance frameworks (ISO27001, SOC2, NIS2, EU AI Act, etc.).
Collaborate with Compliance and IT Security teams to maintain certifications and audit readiness.
Provide leadership with clear reporting on product security posture, vulnerabilities, and remediation progress.
Agile Management
Define backlog items related to security improvements, vulnerability remediation, and testing initiatives.
Facilitate sprint planning, daily stand-ups, retrospectives, and ensure delivery of security objectives.
Mentor and coach team members, fostering a culture of collaboration and continuous improvement.
Knowledge, Skills and Abilities :
Strong knowledge of secure development practices, threat modeling, and vulnerability management.
Hands-on experience with SAST/DAST tools and CI/CD integration.
Excellent communication skills to engage developers, auditors, and executives.
Proven experience leading teams in agile/SCRUM environments.
Education and Experience :
Bachelor’s or Master’s degree in Software Engineering, Cybersecurity, or related field.
8+ years of experience in software development and application security, with hands-on exposure to Java web applications.
Certifications such as OSCP or CISSP, CISM.
Experience in SaaS environments and cloud-native security.
Familiarity with compliance frameworks (ISO27001, SOC2, NIS2, EU AI Act).
Ability to balance strategic vision with hands-on technical leadership.
The selected candidate may be subject to the provision of an up to date (not older than 3 months) criminal record certificate.
Security: the successful candidate will have to comply with CHAMP Security Requirements (including but not limited to CHAMP’s IT Security Policies, especially the ISMS Policy and the Acceptable Use Policy, mandatory courses, confidentiality and data protection, use of company assets, and incident reporting).
CHAMP Cargosystems is an equal opportunity employer and prohibits discrimination and harassment of any kind. We are committed to the principle of equal employment opportunity for all employees and to providing employees with a work environment free of discrimination and harassment. All employment decisions are based on business needs, job requirements and individual qualifications, without regard to race, ethnic background, religion or belief, family or parental status, or any other status protected by the laws or regulations in the locations where we operate.
Please note that any personal data that you submit along with your application will be processed by CHAMP and may be processed by any of its global entities as necessary. These data will be treated in strict compliance with the applicable data protection legislation (i.e. the Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, - the GDPR -, which entered into force on 25 May 2018, as well as any other subsequent regulation).Please follow the link to the CHAMP Candidates Privacy Notice for further information.
The role will be reporting to the Security Architect.
Location: Reading, UK
Responsibilities :
We are seeking a Offensive Security Engineer to establish and guide our Product Security Team. The successful candidate will drive our penetration testing capability, our secure software development practices, oversee vulnerability remediation, and build automated offensive security capabilities integrated into our agile CI/CD environment. Working within the SCRUM methodology, the Offensive Security Engineer will ensure that security is embedded into every sprint, release, and product lifecycle stage. As our SaaS products are primarily developed in Java-based web applications, the ideal candidate will bring hands-on experience in software development and a strong understanding of secure coding practices in Java and modern web technologies.
Security Governance & Development Enablement
Establish secure coding standards, reusable libraries, and best practices for Java web application development.
Collaborate with product owners and developers to integrate security requirements into user stories.
Provide guidance on threat modeling and secure design during sprint planning.
Ensure security tasks are prioritized alongside functional requirements in the agile backlog.
Offensive Security & Testing
Build and oversee internal penetration testing capabilities for web applications and APIs.
Ensure each release in the CI/CD chain undergoes automated and manual security testing.
Expand testing scope to infrastructure and cloud environments as maturity grows.
Continuously simulate attacker techniques to validate product resilience.
Tooling & Automation
Drive adoption of SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) solutions, with emphasis on Java and web application frameworks.
Integrate automated security testing into CI/CD pipelines.
Oversee development of unit test frameworks with embedded security checks.
Compliance & Reporting
Align product security practices with compliance frameworks (ISO27001, SOC2, NIS2, EU AI Act, etc.).
Collaborate with Compliance and IT Security teams to maintain certifications and audit readiness.
Provide leadership with clear reporting on product security posture, vulnerabilities, and remediation progress.
Agile Management
Define backlog items related to security improvements, vulnerability remediation, and testing initiatives.
Facilitate sprint planning, daily stand-ups, retrospectives, and ensure delivery of security objectives.
Mentor and coach team members, fostering a culture of collaboration and continuous improvement.
Knowledge, Skills and Abilities :
Strong knowledge of secure development practices, threat modeling, and vulnerability management.
Hands-on experience with SAST/DAST tools and CI/CD integration.
Excellent communication skills to engage developers, auditors, and executives.
Proven experience leading teams in agile/SCRUM environments.
Education and Experience :
Bachelor’s or Master’s degree in Software Engineering, Cybersecurity, or related field.
8+ years of experience in software development and application security, with hands-on exposure to Java web applications.
Certifications such as OSCP or CISSP, CISM.
Experience in SaaS environments and cloud-native security.
Familiarity with compliance frameworks (ISO27001, SOC2, NIS2, EU AI Act).
Ability to balance strategic vision with hands-on technical leadership.
The selected candidate may be subject to the provision of an up to date (not older than 3 months) criminal record certificate.
Security: the successful candidate will have to comply with CHAMP Security Requirements (including but not limited to CHAMP’s IT Security Policies, especially the ISMS Policy and the Acceptable Use Policy, mandatory courses, confidentiality and data protection, use of company assets, and incident reporting).
CHAMP Cargosystems is an equal opportunity employer and prohibits discrimination and harassment of any kind. We are committed to the principle of equal employment opportunity for all employees and to providing employees with a work environment free of discrimination and harassment. All employment decisions are based on business needs, job requirements and individual qualifications, without regard to race, ethnic background, religion or belief, family or parental status, or any other status protected by the laws or regulations in the locations where we operate.
Please note that any personal data that you submit along with your application will be processed by CHAMP and may be processed by any of its global entities as necessary. These data will be treated in strict compliance with the applicable data protection legislation (i.e. the Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, - the GDPR -, which entered into force on 25 May 2018, as well as any other subsequent regulation).Please follow the link to the CHAMP Candidates Privacy Notice for further information.