The role
We need a generalist security engineer. Someone who can write a risk assessment in the morning, run a pen test after lunch, review code for vulnerabilities, and help prepare for an audit the next day. Not a narrow specialist. Someone who's good across board and energized by variety.
You'll work with our engineering, product, risk, and legal teams. Some days you're deep in code. Other days you're drafting a policy or reviewing a vendor's security posture. This role is the kind that existed before security had its own department.
What you'll do
AppSec
Security code reviews and pen testing on web, mobile, and API
Find, triage, and track vulnerabilities through to remediation. Own the full lifecycle
SAST, DAST, SCA tooling in CI/CD
Threat modelling for new features and architecture changes
Review auth flows for weaknesses
Secure development
Champion security practices across engineering. Be a partner, not a gatekeeper
Maintain secure coding standards for our stack
Run security awareness sessions. Practical, not preachy
Review security-sensitive PRs
Infrastructure & APIs
Assess and harden REST and third-party API integrations (payment gateways, partner APIs)
Review cloud configs (AWS/GCP) for misconfigurations
Security requirements for new infrastructure and vendor decisions
Periodic cloud and network security assessments
Fraud detection
Build, tune, and maintain our internal fraud detection: rules, signals, detection logic
Analyze transaction patterns and behavioural signals to spot anomalies
Build automation that reduces manual triage work
Work with product to embed fraud controls before features ship
Investigate fraud incidents end-to-end
Track fraud trends in African fintech and feed that back into detection
GRC
Maintain security policies, standards, and procedures
Support audits: evidence gathering, gap remediation, ISO 27001, PCI DSS, SOC 2, CBN guidelines
Vendor security risk assessments
Own the risk register
Security awareness training across the org, not just engineering
Incident response: investigation, containment, root cause, post mortems
Triage bug bounty and external vulnerability reports
What we're looking for
Required
3+ years in security engineering or infosec with exposure across multiple domains
Application security fundamentals: OWASP Top 10, common vulnerabilities, how to find and fix them
Pen testing or vulnerability assessments (web, API, or mobile)
GRC basics: risk assessments, policies, audit evidence, compliance frameworks (ISO 27001, PCI DSS, or similar)
Vulnerability management: tracking, prioritizing, driving remediation
Fraud detection, transaction monitoring, or trust & safety experience
Clear writing. Vulnerability reports and policy documents with equal confidence.
Able to collaborate across teams and drive alignment.
Nice to have
Fintech, payments, or regulated financial services
Cloud security: AWS or GCP config reviews, IAM auditing, storage misconfigs
Mobile app security (iOS/Android, OWASP MASVS)
Scripting (Python, Bash)
Certs: CEH, OSCP, CompTIA Security+, CompTIA CySA+, ISO 27001 Lead Implementer
Fraud rules engines, anomaly detection, behavioral analytics
CBN cybersecurity frameworks and Nigerian fintech regulations
The people who succeed on this team:
Genuinely curious across all of security
Don't need a narrow lane. Variety is energizing, not overwhelming
Builders. Want to fix and improve, not just document and report
Comfortable with ambiguity. We're still defining what good looks like and you'll help shape it
Earn trust by being clear, practical, and genuinely helpful
Care about the mission. Protecting people's money isn't abstract.