At the heart of everything we do is our vision to change lives every day, and our mission to grow The National Lottery responsibly and champion its impact. We are Allwyn UK, part of the Allwyn Entertainment Group – a multi-national lottery operator with a market-leading presence across the USA (Michigan and Illinois) and Europe, including Czech Republic, Austria, Greece, Cyprus and Italy. While the main contribution of The National Lottery to society is through the funds to good causes, at Allwyn we put our purpose and values at the heart of everything we do. Join us as we embark on a once-in-a-lifetime, largescale transformation journey by creating a National Lottery that delivers more money to good causes. We’ll talk a bit more about us further down the page, but for now – let’s talk about the role and who we’re looking for… A bit about the role This role strengthens the Security Testing function by adding senior hands on capability across application security testing and targeted offensive security work. The main purpose of the role is to improve the depth, consistency and practical value of security testing across Allwyn systems and services, while building enough internal offensive capability to support purple team activity, adversary led testing and better detection and response outcomes. The role is weighted towards application security. Around 70 percent of the time will be spent on testing and assuring modern applications, APIs, backend services and cloud hosted workloads. Around 30 percent will be spent on offensive security activity that supports purple team development, adversary informed assessments and selected deeper technical work such as binary analysis, operating system exploitation and ATT&CK aligned testing. What you’ll be doing Application security testing and assurance, around 70 percent Lead and deliver advanced penetration testing across web applications, RESTful APIs, backend services, mobile connected services and supporting application platforms. Assess Java based backend systems, especially Spring Boot services, microservice architectures, API gateways and Backend for Frontend layers. Test authentication, authorisation, orchestration, input validation, session handling, token management and data exposure risks across modern digital journeys. Carry out security testing across cloud hosted and containerised application environments, ideally on AWS, where platform or configuration weaknesses affect application risk. Review outputs from SAST, DAST and related controls, separate noise from genuine risk, and help development teams understand what matters and what should be fixed first. Support threat modelling and design review activity by translating design and architecture decisions into sensible testing scope and coverage. Support release and project assurance by providing clear views on testing depth, remediation expectations and risk based sign off inputs. Help develop practical application security testing standards, playbooks and ways of working that can be applied across BAU and project delivery. Offensive security and purple team development, around 30 percent Develop and mature an internal purple team methodology that can be used alongside security testing activity and external red team exercises. Support offensive security planning with Security Testing leadership and Cyber Defence so that simulations and adversary led assessments are tied to the maturity of defensive controls and operational priorities. Use strong Linux and Windows knowledge to identify realistic exploitation paths across hosts, applications and supporting services. Bring practical knowledge of binary exploitation and lower level technical analysis where it adds value to application, platform or software component assessments. Apply ATT&CK aligned thinking when shaping offensive scenarios, attack paths and purple team test cases. Use knowledge of exploit chaining, post exploitation tradecraft, EDR and AV evasion concepts, and other offensive security techniques where they improve the realism and value of testing. Draft for internal review Contribute to selected specialist work, including hardware focused testing or low level technical analysis, where there is a clear business need and the activity supports the wider security testing plan. Work with external offensive security partners and turn outputs into practical lessons, follow up actions and measurable improvements. Team contribution and capability building Act as a senior technical point of reference within the Security Testing function. Coach others in the team and help raise the standard of testing, reporting and technical analysis. Improve internal methods, test approaches and reporting so that the function becomes more consistent and easier to scale What experience we’re looking for Essential Strong hands on experience in application penetration testing across web applications, APIs and service based architectures. Strong understanding of Java based backend systems, especially Spring Boot, RESTful APIs and microservice patterns. Experience testing API gateways and Backend for Frontend layers, including authentication, authorisation, orchestration and data validation. Practical knowledge of cloud hosted applications, ideally on AWS, including containerised services and common platform security controls. Good understanding of modern web and mobile application patterns, enough to assess API consumption, session handling, trust boundaries and data exposure risk. Strong practical knowledge of Linux and Windows operating systems, including privilege escalation paths, host weaknesses, credential handling risks and exploitation approaches relevant to application environments. Working knowledge of binary exploitation and lower level vulnerability analysis where relevant to application, runtime or platform risk. Ability to carry out manual testing beyond automated tooling, including business logic weakness, exploit chaining and cross layer issues. Ability to explain findings clearly to both technical and non technical stakeholders and provide practical remediation advice. Experience shaping testing approach, methodology or standards rather than only delivering assessments. Desirable Experience with mobile application assessment. Experience with secure code review or code assisted testing. Experience with ATT&CK informed assessments, adversary emulation support or purple team exercises. Familiarity with EDR and AV evasion concepts, exploit development, vulnerability research or offensive tooling beyond standard application testing. Exposure to hardware, embedded or other specialist low level testing techniques. Experience in regulated, high availability or transaction critical environments. Relevant certifications such as CREST, OSCP, OSWE, OSEP or equivalent demonstrable experience. Experience with WAF technology and implementation About us At Allwyn, we are dedicated to changing lives and growing the National Lottery responsibly, championing its positive impact on people, places, and the planet. Innovation - We pride ourselves on it! We’re constantly looking for new ways to excite our customers, bringing new products to market to enjoy which is all supported by our responsible play values and making them accessible to all. Giving back – Did you know that playing the lottery generates around £30m a week for charities and good causes in the UK? Our aim is to have doubled this number by the end of the first 10-year license. Sustainability – Our aim is to become a net zero national lottery. We have 2030 targets to decarbonise our operations and energy. We’ve already transitioned to renewable energy providers, made our London and Watford offices zero gas, and ensured our fleet consists of low-emission vehicles. In addition, we’re working with our value chain partners to develop a net zero target date. Empowering every voice – We believe in creating a culture where everyone feels they belong, can be themselves, has access to opportunities and can thrive for the benefit of good causes. Our diverse teams are working hard to make all parts of The National Lottery inclusive – whether people play a game in a store or online, because when everyone can play, everyone wins An inclusive reward offering with wellbeing at the centre At Allwyn, inclusion is built into how we care for our people. Our benefits and policies support colleagues and their families at every stage of life and career. By prioritising wellbeing and belonging, we create a workplace where everyone feels valued, rewarded, and empowered to succeed. Our people are more than colleagues - they’re winners, driving positive change and making a real difference in communities. Benefits Company Bonus Scheme Matched pension contributions up to 8.5% 26 days annual leave 2 Life Days (and bank holidays) Single Private Health Cover Complimentary Private Medical Income Protection Flexible Benefits – EV Scheme, Money Coach, Will Writing, Mortgage Advice, Dental and Eye Care Schemes. Enhanced Family Leave (Maternity, Paternity, Adoption) Wellness Allowance £500 Employee Assistance Programme Discounted Health Assessments Volunteering Days Matched Funding We are a Disability Confident Leader which means we’ve taken proactive steps to ensure our workplace is accessible and inclusive for disabled and neurodivergent colleagues and candidates. As part of this we offer an interview to disabled applicants who meet the essential requirements of the job. If you need any assistance or adjustments to this job description or in the application process, please contact a member of the talent team at careers@allwyn.co.uk and we’ll be happy to help.