Menu

Attack Surface Reduction Analyst

Job details
Posting date: 13 January 2026
Hours: Full time
Closing date: 12 February 2026
Location: Edinburgh, EH12 1HQ
Company: NatWest Group
Job type: Permanent
Job reference: R-00268053

Apply for this job

Summary

Join us as an Attack Surface Reduction Analyst

  • Take on a new challenge and use your specialist knowledge to support the wider organisation in building and operating secure services that protect both colleagues and customers

  • You’ll act as a subject matter expert in a security related field, making sure that the security implications of the backlog are understood in the right way, building security early into design

  • You’ll be joining an exciting and fast-paced area of the bank, where you can expect great exposure both for you and your work

What you'll do

As an Attack Surface Reduction Analyst, you’ll be working at a domain level to understand and make sure robust security is continuously considered and incorporated at every stage, programme increment and feature team delivery throughout the development lifecycle and through to support.

You’ll collaborate with feature teams and participate in story refinement, sprint planning and retrospective sessions, establishing a culture of innovation and strategic thinking that makes sure that the bank has knowledge of, and opportunities to exploit, the latest developments in your area of specialism.

You’ll also be:

  • Supporting with the identification of risks, while contributing to risk management strategies to achieve business objectives and customer outcomes

  • Understanding and implementing Agile methodologies and actively contributing to finding opportunities to build security early into design

  • Making sure that decisions made are based on robust data, return on investment and value measures that demonstrate thoughtful and intelligent cost management

  • Actively contributing to your Centre of Excellence (CoE) specialism by cross sharing learnings and best practice with CoE and Community of Practice colleagues

  • Building and leveraging relationships with colleagues across the bank and third parties to ensure decisions made are commercially focused and create long term value for the organisation

The skills you'll need

To be successful in this role, you’ll need knowledge of one or more security subject areas and experience of setting risk appetites. You’ll also demonstrate experience of, or a willingness to learn risk management frameworks.

You’ll also bring a strong understanding of vulnerability discovery across diverse environments, including traditional infrastructure, cloud platforms such as AWS, Azure and GCP, APIs, and application code, and you’ll be proficient with scanning tools like Qualys to identify and track exposures effectively.

Additionally, you’ll need:

  • An understanding of cloud-native architectures, container security such as Docker and Kubernetes, and CI/CD pipelines to assess vulnerabilities in dynamic and scalable environments, including recognising misconfigurations, insecure deployments, and cloud-specific threat vectors

  • Strong communication and stakeholder management skills, and the ability to evaluate and prioritise vulnerabilities based on risk, exploitability, and business impact, and to coordinate remediation efforts across the bank

  • Familiarity with secure coding practices and API security, including the ability to interpret results from SAST, DAST, and API scanning tools

  • Knowledge of common code-level flaws and the OWASP API Security Top 10 to make sure vulnerabilities are addressed early in the development lifecycle

  • The proven ability to produce clear, actionable reports and dashboards that communicate vulnerability posture and remediation progress

Apply for this job