×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity Data Security

Principal Penetration Tester

Job in Watford, Hertfordshire, NN6, England, UK
Listing for: Allwyn UK
Full Time position
Listed on 2026-05-23
Job specializations:
  • IT/Tech
    Cybersecurity, Data Security
Salary/Wage Range or Industry Benchmark: 80000 - 100000 GBP Yearly GBP 80000.00 100000.00 YEAR
Job Description & How to Apply Below

At the heart of everything we do is our vision to change lives every day, and our mission to grow The National Lottery responsibly and champion its impact.

We are Allwyn UK, part of the Allwyn Entertainment Group – a multi-national lottery operator with a market-leading presence across the USA (Michigan and Illinois) and Europe, including Czech Republic, Austria, Greece, Cyprus and Italy.

While the main contribution of The National Lottery to society is through the funds to good causes, at Allwyn we put our purpose and values at the heart of everything we do. Join us as we embark on a once-in-a-lifetime, large scale transformation journey by creating a National Lottery that delivers more money to good causes.

We’ll talk a bit more about us further down the page, but for now – let’s talk about the role and who we’re looking for…

A bit about the role

This role strengthens the Security Testing function by adding senior hands on capability across application security testing and targeted offensive security work. The main purpose of the role is to improve the depth, consistency and practical value of security testing across Allwyn systems and services, while building enough internal offensive capability to support purple team activity, adversary led testing and better detection and response outcomes.

The role is weighted towards application security. Around 70 percent of the time will be spent on testing and assuring modern applications, APIs, backend services and cloud hosted workloads. Around 30 percent will be spent on offensive security activity that supports purple team development, adversary informed assessments and selected deeper technical work such as binary analysis, operating system exploitation and ATT&CK aligned testing.

What you’ll be doing

Application security testing and assurance, around 70 percent

  • Lead and deliver advanced penetration testing across web applications, RESTful APIs, backend services, mobile connected services and supporting application platforms.
  • Assess Java based backend systems, especially Spring Boot services, microservice architectures, API gateways and Backend for Frontend layers.
  • Test authentication, authorisation, orchestration, input validation, session handling, token management and data exposure risks across modern digital journeys.
  • Carry out security testing across cloud hosted and containerised application environments, ideally on AWS, where platform or configuration weaknesses affect application risk.
  • Review outputs from SAST, DAST and related controls, separate noise from genuine risk, and help development teams understand what matters and what should be fixed first.
  • Support threat modelling and design review activity by translating design and architecture decisions into sensible testing scope and coverage.
  • Support release and project assurance by providing clear views on testing depth, remediation expectations and risk based sign off inputs.
  • Help develop practical application security testing standards, playbooks and ways of working that can be applied across BAU and project delivery.

Offensive security and purple team development, around 30 percent

  • Develop and mature an internal purple team methodology that can be used alongside security testing activity and external red team exercises.
  • Support offensive security planning with Security Testing leadership and Cyber Defence so that simulations and adversary led assessments are tied to the maturity of defensive controls and operational priorities.
  • Use strong Linux and Windows knowledge to identify realistic exploitation paths across hosts, applications and supporting services.
  • Bring practical knowledge of binary exploitation and lower level technical analysis where it adds value to application, platform or software component assessments.
  • Apply ATT&CK aligned thinking when shaping offensive scenarios, attack paths and purple team test cases.
  • Use knowledge of exploit chaining, post exploitation tradecraft, EDR and AV evasion concepts, and other offensive security techniques where they improve the realism and value of testing.
  • Contribute to selected specialist work, including hardware focused testing or low level technical…
Note that applications are not being accepted from your jurisdiction for this job currently via this jobsite. Candidate preferences are the decision of the Employer or Recruiting Agent, and are controlled by them alone.
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search:
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search