SecJobs
RoleSuite
CompaniesRemoteAboutMethodologyContactPrivacy
Updated 2026-07-03 18:00 UTC·© 2025–2026 RoleSuite
← Back to listings

Product, Application and Offensive Security Lead

WPP · United Kingdon

WPP is the trusted growth partner for the world’s leading brands. 

We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth. 
 
We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.
 
Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow. 
 
For more information, visit WPP.com.
 

Role Overview

The Product, Application and Offensive Security Lead is responsible for embedding security directly into the design, development, testing, and operation of DTS products and platforms.

This is a hands-on security engineering role. The role requires someone who can work directly with product and engineering teams, review designs, assess APIs, run threat models, test systems, coordinate penetration testing, identify vulnerabilities, and help teams remediate issues.

The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled workflows, and client-facing services are designed, built, and tested securely. It also owns the practical offensive security and adversarial assurance activity needed to test DTS products from an attacker’s perspective.

The Product, Application and Offensive Security Lead will work closely with Product, Engineering, Architecture, Infrastructure, Security Operations, Privacy, Cloud and Platform Security, and the ISMS and Risk Officer to ensure security issues are identified early, fixed effectively, and tracked through governance where required.

Key Responsibilities

1. Hands-on Product and Application Security

Provide hands-on security support across DTS products and engineering teams. This includes:

  • Reviewing product designs, technical designs, APIs, services, and integrations.
  • Identifying security weaknesses in applications, workflows, and data flows.
  • Advising engineering teams on secure implementation.
  • Supporting secure design decisions during product discovery and delivery.
  • Helping teams resolve security issues pragmatically without creating unnecessary delivery friction.

2. Secure Software Development Lifecycle (SDLC)

Embed security into the software development lifecycle across DTS. This includes:

  • Defining and applying secure engineering standards.
  • Supporting secure coding practices.
  • Reviewing CI/CD security controls.
  • Supporting SAST, DAST, SCA, secrets scanning, dependency scanning, and container scanning.
  • Helping teams triage, prioritise, and remediate security findings.
  • Working with engineering teams to make security checks practical and repeatable.

3. Threat Modelling and Security Design Reviews

Run threat modelling and security design reviews for new and changed capabilities. This includes:

  • Facilitating threat modelling sessions with engineering and product teams.
  • Reviewing authentication and authorization designs.
  • Assessing API exposure, data flows, trust boundaries, and abuse cases.
  • Identifying risks around tenant isolation, privilege escalation, data leakage, and misuse.
  • Documenting key findings, recommendations, and residual risks.

4. Offensive Security and Adversarial Testing

Carry out and coordinate offensive security testing across DTS products and platforms. This includes:

  • Performing hands-on security testing of products, APIs, and workflows.
  • Coordinating external penetration tests.
  • Supporting red team and purple team exercises where required.
  • Testing abuse cases and attacker paths.
  • Testing access control, authentication, authorization, and data leakage risks.
  • Validating remediation of security findings.
  • Feeding material risks into the ISMS and Risk Officer for tracking.

5. API, Integration and Data Product Security

Provide security assurance for APIs, integrations, and data products. This includes:

  • Reviewing externally exposed APIs and partner integrations.
  • Assessing rate limiting, authorization, tenant isolation, logging, abuse prevention, and data leakage controls.
  • Supporting secure integration between InfoSum, Open Intelligence, Resolve, WPP Open, and third-party platforms.
  • Reviewing data product workflows for misuse, excessive access, or unintended exposure.
  • Working with Privacy Engineering on privacy-sensitive APIs, algorithms, and outputs.

6. AI and Agentic Security Testing

Provide hands-on security review and adversarial testing for AI-enabled and agentic capabilities. This includes:

  • Testing prompt injection, tool misuse, data leakage, and excessive agency.
  • Reviewing how agents access APIs, data, tools, and workflows.
  • Testing whether agent permissions can be bypassed or escalated.
  • Assessing action boundaries and human approval points.
  • Working with Identity, AI, and Data Access Governance to validate agent access models.
  • Documenting AI and agentic security risks and remediation actions.

7. Vulnerability Triage and Remediation Support

Help teams understand, prioritise, and fix security vulnerabilities. This includes:

  • Reviewing vulnerability findings from scans, penetration tests, code reviews, cloud tools, and external reports.
  • Prioritising findings based on exploitability, exposure, data sensitivity, and business impact.
  • Working directly with engineers to define remediation options.
  • Validating that fixes are effective.
  • Supporting exception and risk acceptance decisions where remediation is delayed.
  • Ensuring significant issues are visible through the DTS risk process.

8. Engineering Enablement and Security Coaching

Act as a practical security partner to engineering teams. This includes:

  • Providing secure implementation guidance.
  • Creating lightweight security patterns and examples.
  • Coaching engineers on common application, API, and AI security risks.
  • Helping teams understand the “why” behind security requirements.
  • Supporting a culture where security is part of product quality, not a separate approval gate.

Key Accountabilities

The Product, Application and Offensive Security Lead will be accountable for:

  • Hands-on application and product security support across DTS.
  • Secure SDLC guidance and practical adoption.
  • Threat modelling and security design reviews.
  • API, integration, and data product security reviews.
  • Offensive security and adversarial testing activity.
  • AI and agentic security testing.
  • Vulnerability triage, remediation guidance, and fix validation.
  • Coordination with ISMS/Risk to ensure material risks and exceptions are tracked.
  • Helping engineering teams build secure systems without unnecessary delivery drag.

Skills and Experience

The successful candidate will have:

  • Strong hands-on experience in application security, product security, offensive security, security engineering, or penetration testing.
  • Good understanding of modern software engineering, APIs, SaaS platforms, distributed systems, and cloud-native applications.
  • Experience with threat modelling and secure design reviews.
  • Practical knowledge of common application and API security risks, including authentication, authorization, tenant isolation, injection, data leakage, privilege escalation, and supply chain risk.
  • Experience using security testing tools and techniques across web applications, APIs, cloud services, and CI/CD pipelines.
  • Familiarity with SAST, DAST, SCA, secrets scanning, dependency scanning, and vulnerability management workflows.
  • Experience working directly with engineers to remediate findings.
  • Understanding of AI and agentic security risks would be highly valuable.
  • Ability to communicate clearly with engineering, product, architecture, security, and leadership stakeholders.
  • A pragmatic, delivery-aware approach to security.

Leadership Expectations

The Product, Application and Offensive Security Lead is expected to:

  • Be hands-on and technically credible with engineering teams.
  • Act as a trusted security partner, not just a reviewer or approver.
  • Challenge insecure designs constructively.
  • Help teams find practical ways to reduce risk.
  • Prioritise issues based on real-world exploitability and business impact.
  • Work across multiple DTS product areas without becoming a delivery bottleneck.
  • Escalate material risks clearly through the appropriate governance routes.
  • Promote secure engineering habits through practical guidance and example.

Success Measures

Success in the role will be measured by:

  • Security being embedded earlier in product and engineering delivery.
  • Reduction in high-risk application, API, and product vulnerabilities.
  • Regular threat modelling and security reviews for critical DTS capabilities.
  • Effective offensive and adversarial testing of products, APIs, and workflows.
  • Faster remediation of penetration test and security testing findings.
  • Improved security assurance for AI and agentic workflows.
  • Engineering teams receiving practical, actionable security guidance.
  • Material security risks being surfaced and tracked through the DTS risk process.
  • Security being viewed by engineering teams as an enabler of trusted delivery rather than a blocker.

You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working.

You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.

You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day.

 

What we'll give you:

Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.

Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry.

Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge?

#LI-Hybrid 

We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process.

WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers.

Please read our Privacy Notice (https://www.wpp.com/en/careers/wpp-privacy-policy-for-recruitment) for more information on how we process the information you provide.

Security pay context

Based on 1,662 disclosed Security salaries on RoleSuite, the role pays a median of $142K/year, with most offers between $114K and $179K (10th–90th percentile: $95K–$215K).

See the full Security salary breakdown →
Apply →

Other roles at WPP

  • Junior Security AnalystUnited Kingdom
  • Senior Product Manager, Agent Hub & CatalogueLondon, London, United Kingdom
  • Senior Product Manager, Agent BuilderLondon, London, United Kingdom
  • Data Analyst (Procurement & REWS)Mumbai, India
  • VML & Ogilvy | Art Director (BEAT Studio), Japan Tokyo, Japan
  • Analyst - Accounts Payable - UK (Contact Role)Mumbai
  • Sr. Product Manager, Managed AgentsNew York, New York, United States
  • Sr. Product Manager, Agentic Workflow & AI AssistantNew York, New York, United States
  • Workday Global HCM Support LeadLondon, England, United Kingdom
  • VP, Product – Media Solutions (Marketplace)London, London, United Kingdom

More Security roles

  • Solution Architect – Operational Resilience - 6 Month FTC Capco · UK - London
  • Senior Security Engineer (AI Safety), London or LausanneIsomorphic Labs · Lausanne; London
  • Sr Security Engineer, Incident ResponseDatabricks · Belgium; Finland; Remote - Denmark; Remote - France; Remote - Germany; Remote - Netherlands; Remote - Spain; Remote - Sweden; Remote - United Kingdom; Switzerland
  • Security Engineer, Product SecurityJobgether · US
  • Senior GRC AnalystPleo · London
  • Senior GRC AnalystPleo · United Kingdom
  • Mission Analyst - Palo Alto, CA (Contract)Latitude · Palo Alto, CA
  • Senior Security Operations EngineerJobgether · US
  • Security ManagerKempinski · Baie Lazare
  • Manager, Cybersecurity Governance Risk & ComplianceJobgether · US