Security Engineer at Cowrywise

The role

We need a generalist security engineer. Someone who can write a risk assessment in the morning, run a pen test after lunch, review code for vulnerabilities, and help prepare for an audit the next day. Not a narrow specialist. Someone who’s good across board and energized by variety.

You’ll work with our engineering, product, risk, and legal teams. Some days you’re deep in code. Other days you’re drafting a policy or reviewing a vendor’s security posture. This role is the kind that existed before security had its own department.

What you’ll do

AppSec

• Security code reviews and pen testing on web, mobile, and API
• Find, triage, and track vulnerabilities through to remediation. Own the full lifecycle
• SAST, DAST, SCA tooling in CI/CD
• Threat modelling for new features and architecture changes
• Review auth flows for weaknesses

Secure development

• Champion security practices across engineering. Be a partner, not a gatekeeper
• Maintain secure coding standards for our stack
• Run security awareness sessions. Practical, not preachy
• Review security-sensitive PRs

Infrastructure & APIs

• Assess and harden REST and third-party API integrations (payment gateways, partner APIs)
• Review cloud configs (AWS/GCP) for misconfigurations
• Security requirements for new infrastructure and vendor decisions
• Periodic cloud and network security assessments

Fraud detection

• Build, tune, and maintain our internal fraud detection: rules, signals, detection logic
• Analyze transaction patterns and behavioural signals to spot anomalies
• Build automation that reduces manual triage work
• Work with product to embed fraud controls before features ship
• Investigate fraud incidents end-to-end
• Track fraud trends in African fintech and feed that back into detection

GRC

• Maintain security policies, standards, and procedures
• Support audits: evidence gathering, gap remediation, ISO 27001, PCI DSS, SOC 2, CBN guidelines
• Vendor security risk assessments
• Own the risk register
• Security awareness training across the org, not just engineering
• Incident response: investigation, containment, root cause, post mortems
• Triage bug bounty and external vulnerability reports

What we’re looking for

Required

• 3+ years in security engineering or infosec with exposure across multiple domains
• Application security fundamentals: OWASP Top 10, common vulnerabilities, how to find and fix them
• Pen testing or vulnerability assessments (web, API, or mobile)
• GRC basics: risk assessments, policies, audit evidence, compliance frameworks (ISO 27001, PCI DSS, or similar)
• Vulnerability management: tracking, prioritizing, driving remediation
• Fraud detection, transaction monitoring, or trust & safety experience
• Clear writing. Vulnerability reports and policy documents with equal confidence.
• Able to collaborate across teams and drive alignment.

Nice to have

• Fintech, payments, or regulated financial services
• Cloud security: AWS or GCP config reviews, IAM auditing, storage misconfigs
• Mobile app security (iOS/Android, OWASP MASVS)
• Scripting (Python, Bash)
• Certs: CEH, OSCP, CompTIA Security+, CompTIA CySA+, ISO 27001 Lead Implementer
• Fraud rules engines, anomaly detection, behavioral analytics
• CBN cybersecurity frameworks and Nigerian fintech regulations

The people who succeed on this team:

• Genuinely curious across all of security
• Don’t need a narrow lane. Variety is energizing, not overwhelming
• Builders. Want to fix and improve, not just document and report
• Comfortable with ambiguity. We’re still defining what good looks like and you’ll help shape it
• Earn trust by being clear, practical, and genuinely helpful
• Care about the mission. Protecting people’s money isn’t abstract.