Information Security Engineer (AppSec)

Office: Krakow · Lisbon · Madrid · Porto Remote: Poland · Portugal · Romania · Spain · Spain · UAE

About Revolut

People deserve more from their money. More visibility, more control, and more freedom. Since 2015, Revolut has been on a mission to deliver just that. Our powerhouse of products - including spending, saving, investing, exchanging, travelling, and more - help our 60+ million customers get more from their money every day.

As we continue our lightning-fast growth,‌ 2 things are essential to our success: our people and our culture. In recognition of our outstanding employee experience, we've been certified as a Great Place to Work™. So far, we have 10,000+ people working around the world, from our offices and remotely, to help us achieve our mission. And we're looking for more brilliant people. People who love building great products, redefining success, and turning the complexity of a chaotic world into the simplicity of a beautiful solution.

About the role

Our Technology team builds the systems and experiences that keep Revolut moving. From the infrastructure behind our innovative app to the features used by millions of people around the world, they bring sharp thinking, speed, and a focus on meaningful impact to everything they do.

We're looking for an Application Security Engineer to keep our software safe from threats and vulnerabilities. You'll be designing and building apps with security in mind while testing, monitoring, and protecting our systems along the way.

Up to shape what's next in finance? Let's get in touch.

What you'll be doing

• Performing security assessments on product designs, mobile apps (iOS/Android), web applications, and APIs
• Participating in Red Team missions and threat-led testing scenarios to simulate real-world attacker behaviours and validate detection and response capabilities
• Leading and conducting penetration testing across applications, infrastructure, and APIs, using a mix of manual techniques and automated tools
• Managing and evolving our private bug bounty programme, validating submissions, collaborating with researchers, and ensuring timely resolution of valid findings
• Contributing to and influencing cloud security posture, identifying misconfigurations and working with DevOps to implement best practices across GCP and AWS
• Partnering closely with engineering teams to embed security into the software development lifecycle, offering guidance on secure architecture and threat modelling
• Developing and enforcing internal AppSec standards, policies, and practices aligned with OWASP, NIST, and industry benchmarks
• Continuously researching and evaluating emerging threats, tools, and technologies to stay ahead of the evolving threat landscape
• Contributing to internal security training sessions, knowledge sharing, and mentoring of junior team members

What you'll need

• 3+ years of hands-on experience in application security, penetration testing, or a related security engineering role
• A solid understanding of common web, mobile, and API vulnerabilities (e.g., OWASP Top 10, CWE) and practical approaches to identify and remediate them
• Experience conducting code reviews, design reviews, and threat modelling for modern application architectures
• Familiarity with DevSecOps practices and integrating security tooling into CI/CD pipelines
• Working knowledge of authentication, authorisation, session management, and cryptographic best practices
• Proficiency with security tools, such as Burp Suite, MobSF, Frida, or custom scripts, for dynamic and static analysis
• A basic understanding of cloud security principles and experience working with GCP or AWS environments
• Great communication skills with the ability to collaborate effectively with Engineering, Product, and DevOps teams
• A proactive mindset with a passion for solving complex problems and driving secure engineering practices
• The ability to work independently while also being a trusted team player in a fast-paced environment

Nice to have

• Experience participating in Red Team exercises, managing bug bounty programmes, or contributing to open-source security tools or research

Building a global financial super app isn't enough. Our Revoluters are a priority, and that's why in 2021 we launched our inaugural D&I Framework, designed to help us thrive and grow everyday. We're not just doing this because it's the right thing to do. We're doing it because we know that seeking out diverse talent and creating an inclusive workplace is the way to create exceptional, innovative products and services for our customers. That's why we encourage applications from people with diverse backgrounds and experiences to join this multicultural, hard-working team.

Important notice for candidates:

Job scams are on the rise. Please keep these guidelines in mind when applying for any open roles.

• Only apply through official Revolut channels. We don't use any third-party services or platforms for our recruitment.

• Always double-check the emails you receive. Make sure all communications are being done through official Revolut emails, with an @revolut.com domain.

We won't ask for payment or personal financial information during the hiring process. If anyone does ask you for this, it's a scam. Report it immediately.

By submitting this application, I confirm that all the information given by me in this application for employment and any additional documents attached hereto are true to the best of my knowledge and that I have not wilfully suppressed any material fact. I confirm I have disclosed if applicable any previous employment with Revolut. I accept that if any of the information given by me in this application is in any way false or incorrect, my application may be rejected, any offer of employment may be withdrawn or my employment with Revolut may be terminated summarily or I may be dismissed. By submitting this application, I agree that my personal data will be processed in accordance with Revolut's Candidate Privacy Notice