Information Security Intern
Listed on 2026-07-10
-
IT/Tech
Cybersecurity, Information Security
Information Security Intern
Department: Info Sec GRC
Employment Type: Internship
Location: KSA
DescriptionTabby builds financial products used by millions of users across the GCC. We work on high-load, security-critical systems with strict regulatory requirements. The Information Security function protects Tabby across mobile apps, backend services, payment integrations, and cloud infrastructure.
This internship is not educational by default. It is an engineering role with real responsibility.
Information Security at Tabby covers two complementary tracks:
- Vulnerability Assessment & Penetration Testing (VAPT) — application security testing, security architecture reviews, threat modelling, secure code review, vulnerability triage, and incident response.
- Governance, Risk & Compliance (GRC) — policy and control frameworks, compliance program support (PCI DSS, ISO 27001, SAMA), risk assessments, audit support, vendor security reviews, and security awareness.
The team works closely with product engineering, risk engineering, and platform / SRE.
The internship is designed for strong early-career engineers who want to grow as security practitioners. Candidates apply once — during interviews we match each candidate to the track that fits best. Interns are embedded with the security team, work on real assessments and remediation or compliance tasks under senior review, and are expected to meet engineering standards from day one.
Key ResponsibilitiesThis is not a helper or shadow-only role. Interns work on real production tasks under senior review.
On the VAPT track- Triage findings from SAST, DAST, SCA, and dependency scanners across mobile and backend repos
- Reproduce and document vulnerabilities; write clear remediation tickets for product teams
- Contribute to secure code reviews on selected merge requests (auth, input validation, data handling)
- Participate in threat-modelling sessions for new features and produce write-ups
- Run scoped assessments against staging environments under senior sign-off
- Help maintain security tooling: scanner configs, baseline rules, dashboards, false-positive triage queues
- Help with security checks during release cycles
- Contribute to Dev Sec Ops – security gates in CI/CD pipelines, dependency and container image scanning
- Exposure to logging, monitoring, and alert triage workflows alongside the SOC
- Participate in incident response exercises and post-mortems alongside senior engineers
- Support compliance programs against frameworks like PCI DSS, ISO 27001, and SAMA – evidence collection, control mapping, gap analysis
- Help maintain security policies, standards, and procedures across domains – access control, cryptography, asset management, change management, third-party security, vulnerability management, awareness and training – track owners and review cycles
- Contribute to risk assessments – risk registers, control testing, treatment plans
- Support vendor and third-party security assessments
- Help prepare for internal and external audits – work papers, evidence packages, response coordination
- Contribute to security awareness content, training rollouts, and metrics tracking
- Work alongside engineering teams to translate policy requirements into concrete technical controls
- Work with risk and platform engineers on PII handling, secrets management, and encryption reviews
- Contribute to the internal security knowledge base (runbooks, playbooks, awareness content)
- Solid understanding of information security fundamentals: confidentiality, integrity, availability; common attack categories (OWASP Top 10) and common control categories
- Understanding of HTTP, TLS, DNS, and TCP/IP fundamentals
- Understanding of authentication and authorization patterns (sessions, cookies, OAuth 2.0, JWT)
- Familiarity with Linux command line and POSIX-like environments
- Ability to read technical material and explain it clearly in writing
- Experience with Git and standard development workflows
- Strong ethical mindset and discretion – security findings and compliance evidence are sensitive by default, non-disclosure outside the team is non-negotiable
- Open to constructive feedback
- English…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).