Product, Application and Offensive Security Lead
Posted about 14 hours ago
WPP is the trusted growth partner for the world’s leading brands.
We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth.
We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.
Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow.
For more information, visit WPP.com.
The Product, Application and Offensive Security Lead is responsible for embedding
security directly into the design, development, testing and operation of DTS products
and platforms.
This is a hands-on security engineering role. The role requires someone who can work
directly with product and engineering teams, review designs, assess APIs, run threat
models, test systems, coordinate penetration testing, identify vulnerabilities, and help
teams remediate issues.
The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled
workflows, and client-facing services are designed, built and tested securely. It also
owns the practical offensive security and adversarial assurance activity needed to test
DTS products from an attacker’s perspective.
The Product, Application and Offensive Security Lead will work closely with Product,
Engineering, Architecture, Infrastructure, Security Operations, Privacy, Cloud and
Platform Security, and the ISMS and Risk Officer to ensure security issues are identified
early, fixed effectively, and tracked through governance where required.
Key responsibilities
1 Hands-on product and application security
Provide hands-on security support across DTS products and engineering teams.
This includes:
• Reviewing product designs, technical designs, APIs, services and integrations.
• Identifying security weaknesses in applications, workflows and data flows.
• Advising engineering teams on secure implementation.
• Supporting secure design decisions during product discovery and delivery.
• Helping teams resolve security issues pragmatically without creating
unnecessary delivery friction.
2. Secure software development lifecycle
Embed security into the software development lifecycle across DTS.
This includes:
• Defining and applying secure engineering standards.
• Supporting secure coding practices.
• Reviewing CI/CD security controls.
• Supporting SAST, DAST, SCA, secrets scanning, dependency scanning and
container scanning.
• Helping teams triage, prioritise and remediate security findings.
• Working with engineering teams to make security checks practical and
repeatable.
3. Threat modelling and security design reviews
Run threat modelling and security design reviews for new and changed capabilities.
This includes:
• Facilitating threat modelling sessions with engineering and product teams.
• Reviewing authentication and authorization designs.
• Assessing API exposure, data flows, trust boundaries and abuse cases.
• Identifying risks around tenant isolation, privilege escalation, data leakage and
misuse.
• Documenting key findings, recommendations and residual risks.
4. Offensive security and adversarial testing
Carry out and coordinate offensive security testing across DTS products and platforms.
This includes:
• Performing hands-on security testing of products, APIs and workflows.
• Coordinating external penetration tests.
• Supporting red team and purple team exercises where required.
• Testing abuse cases and attacker paths.
• Testing access control, authentication, authorization and data leakage risks.
• Validating remediation of security findings.
• Feeding material risks into the ISMS and Risk Officer for tracking.
5. API, integration and data product security
Provide security assurance for APIs, integrations and data products.
This includes:
• Reviewing externally exposed APIs and partner integrations.
• Assessing rate limiting, authorization, tenant isolation, logging, abuse prevention
and data leakage controls.
• Supporting secure integration between InfoSum, Open Intelligence, Resolve,
WPP Open and third-party platforms.
• Reviewing data product workflows for misuse, excessive access or unintended
exposure.
• Working with Privacy Engineering on privacy-sensitive APIs, algorithms and
outputs.
6. AI and agentic security testing
Provide hands-on security review and adversarial testing for AI-enabled and agentic
capabilities.
This includes:
• Testing prompt injection, tool misuse, data leakage and excessive agency.
• Reviewing how agents access APIs, data, tools and workflows.
• Testing whether agent permissions can be bypassed or escalated.
• Assessing action boundaries and human approval points.
• Working with Identity, AI and Data Access Governance to validate agent access
models.
• Documenting AI and agentic security risks and remediation actions.
7. Vulnerability triage and remediation support
Help teams understand, prioritise and fix security vulnerabilities.
This includes:
• Reviewing vulnerability findings from scans, penetration tests, code reviews,
cloud tools and external reports.
• Prioritising findings based on exploitability, exposure, data sensitivity and
business impact.
• Working directly with engineers to define remediation options.
• Validating that fixes are effective.
• Supporting exception and risk acceptance decisions where remediation is
delayed.
• Ensuring significant issues are visible through the DTS risk process.
8. Engineering enablement and security coaching
Act as a practical security partner to engineering teams.
This includes:
• Providing secure implementation guidance.
• Creating lightweight security patterns and examples.
• Coaching engineers on common application, API and AI security risks.
• Helping teams understand the “why” behind security requirements.
• Supporting a culture where security is part of product quality, not a separate
approval gate.
Key accountabilities
The Product, Application and Offensive Security Lead will be accountable for:
• Hands-on application and product security support across DTS.
• Secure SDLC guidance and practical adoption.
• Threat modelling and security design reviews.
• API, integration and data product security reviews.
• Offensive security and adversarial testing activity.
• AI and agentic security testing.
• Vulnerability triage, remediation guidance and fix validation.
• Coordination with ISMS/Risk to ensure material risks and exceptions are
tracked.
• Helping engineering teams build secure systems without unnecessary delivery
drag.
Skills and experience
The successful candidate will have:
• Strong hands-on experience in application security, product security, offensive
security, security engineering or penetration testing.
• Good understanding of modern software engineering, APIs, SaaS platforms, distributed systems and cloud-native applications.
• Experience with threat modelling and secure design reviews.
• Practical knowledge of common application and API security risks, including
authentication, authorization, tenant isolation, injection, data leakage, privilege
escalation and supply chain risk.
• Experience using security testing tools and techniques across web applications,
APIs, cloud services and CI/CD pipelines.
• Familiarity with SAST, DAST, SCA, secrets scanning, dependency scanning and
vulnerability management workflows.
• Experience working directly with engineers to remediate findings.
• Understanding of AI and agentic security risks would be highly valuable.
• Ability to communicate clearly with engineering, product, architecture, security
and leadership stakeholders.
• A pragmatic, delivery-aware approach to security.
Leadership expectations
The Product, Application and Offensive Security Lead is expected to:
• Be hands-on and technically credible with engineering teams.
• Act as a trusted security partner, not just a reviewer or approver.
• Challenge insecure designs constructively.
• Help teams find practical ways to reduce risk.
• Prioritise issues based on real-world exploitability and business impact.
• Work across multiple DTS product areas without becoming a delivery
bottleneck.
• Escalate material risks clearly through the appropriate governance routes.
• Promote secure engineering habits through practical guidance and example.
Success measures
Success in the role will be measured by:
• Security being embedded earlier in product and engineering delivery.
• Reduction in high-risk application, API and product vulnerabilities.
• Regular threat modelling and security reviews for critical DTS capabilities.
• Effective offensive and adversarial testing of products, APIs and workflows.
• Faster remediation of penetration test and security testing findings.
• Improved security assurance for AI and agentic workflows.
• Engineering teams receiving practical, actionable security guidance.
• Material security risks being surfaced and tracked through the DTS risk process.
• Security being viewed by engineering teams as an enabler of trusted delivery
rather than a blocker.
You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working.
You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.
You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day.
What we'll give you:
Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.
Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry.
Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge?
#LI-Hybrid
We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process.
WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers.
Please read our Privacy Notice (https://www.wpp.com/en/careers/wpp-privacy-policy-for-recruitment) for more information on how we process the information you provide.
Other open roles at Wirtualna Polska(6)
WPP partners with the world’s leading brands to deliver transformative growth. We combine cutting-edge media intelligence, world-class creativity, next-generation production, transformative enterprise solutions and expert counsel – all powered by exceptional talent and our agentic marketing platform, WPP Open.
Key team members

Alberto Knapp Bjerén

Helmut Rieder

Amelia Torode

Glenn Watts
Jobr aggregates jobs directly from company career portals — no middlemen. Our team applies on your behalf with AI-tailored resumes, reviewed by a human before submission.