Product Security Engineer 🔐

Job Description

Sunderland | Hybrid | Permanent

What this role looks like 🎯

At tombola, everything we build is in house, which means security is not something we bolt on at the end, it is built in from the start.

As a Product Security Engineer, you will sit right at the heart of that. You will work closely with our development teams, getting real visibility of what is being built and shaping how we keep it secure as we go.

This is not a role where you are hidden away running tests in isolation. You will be collaborating, influencing, translating risk into real action, and helping teams make better security decisions every day.

You will play a key part in protecting our platform, our players, and our business as we continue to grow.

We’re big on working together, so you’ll spend around 3 days a week in our Sunderland office getting that face to face time with the team, with around 2 days working from home for a bit of focus and flexibility.

What you will be doing 👀

You will be involved across three key areas of product security:

External testing
Working with third party partners to meet regulatory requirements and making sure we are always one step ahead.

• Supporting annual and quarterly security testing

• Choosing the right external tools and providers

• Turning findings into clear, actionable improvements across our platform

Internal testing
Taking ownership of how we proactively test and improve our security internally.

• Running automated and manual security testing across our sites

• Identifying and prioritising vulnerabilities across the platform

• Continuously improving our tooling to keep pace with evolving threats

Secure development lifecycle (SDLC)
Embedding security into how we build, not just how we test.

• Partnering with developers, product and infrastructure teams

• Helping prioritise and resolve vulnerabilities early in the lifecycle

• Supporting pre go live testing to reduce risk

• Building and integrating security tooling into CI CD pipelines

• Empowering teams to make better security decisions from day one

What we are looking for 🧠

You do not need to tick every box, but this is the kind of experience that will help you thrive:

• A genuine interest in security and staying up to date with new threats

• Experience working in or alongside a security function

• Confidence identifying problems and figuring out the best way to solve them

• Understanding of security frameworks and standards such as ISO, NIST or PCI

• Experience working with developers or within a secure development lifecycle

• Awareness of common vulnerabilities such as OWASP Top Ten

• Familiarity with cloud platforms and modern development environments

• Ability to script or automate tasks where needed

• Experience working with third party vendors or penetration testers

What will set you apart ⭐

• Ability to translate technical findings into something clear and actionable

• Confidence working with both technical and non technical stakeholders

• A mindset that naturally considers risk and security in everything

• Someone who builds strong relationships and influences teams in the right way

• Passion for doing things properly, not just quickly

Why tombola? 🎱

We are not your typical tech company. Everything we build is ours, which means you will have real ownership and real impact.

You will be part of a team that genuinely cares about:

• Doing things the right way

• Supporting each other

• Building products we are proud of

Plus… we have some pretty great benefits too click here to check them out.

At tombola we know that our differences make us stronger and that thinking differently is key to long term success. We work hard to create a culture of inclusivity where everyone can celebrate our Free to be mevalue. We are committed to creating opportunities for everyone here at tombola, we welcome applications from all backgrounds and encourage individuals to apply, even if you don’t meet every requirement.