Associate Director, Principal Security

About the Role:

Grade Level (for internal use):

12

The Role:

The Principal Security Engineer – Offensive Security is an internal adversarial security practitioner embedded within Enterprise Solutions (ES). The role is responsible for independently testing and validating the security posture of ES applications, data platforms, and supporting cloud infrastructure.

This is a hands-on offensive security role, not a compliance or governance function. The engineer plans and executes red team operations, penetration tests, and adversarial simulations that reflect the techniques, tactics, and procedures of realistic threat actors – across application code, APIs, CI/CD pipelines, AWS infrastructure, multi-tenant platform boundaries, and AI/agentic system components.

Working in close partnership with ES product engineering teams, the role provides an independent adversarial perspective on implemented controls and remediations. Findings feed directly into the continuous improvement of security practices across ES engineering and inform risk decisions made by technology and business leadership.

Success is measured by the quality and realism of engagements, the reduction of exploitable risk in production systems, and the degree to which findings drive durable security improvement – not by volume of findings or compliance artefacts.

Red Team Operations & Penetration Testing

• Plan and execute red team engagements and penetration tests against web applications, APIs, internal services, and AWS cloud infrastructure, scoped and executed with clear rules of engagement.
• Simulate realistic attacker TTPs aligned with threat intelligence and frameworks such as MITRE ATT&CK (Enterprise and Cloud), tailored to the organizational threat model.
• Conduct full-scope assessments covering initial access, lateral movement, privilege escalation, persistence, and data exfiltration across application and cloud environments.
• Perform cloud-specific attack path analysis including IAM privilege escalation, metadata service abuse, cross-account access, misconfiguration exploitation, and container or serverless escape techniques.
• Execute CI/CD pipeline attack simulations covering supply chain compromise, secrets exposure, artifact tampering, and pipeline misconfigurations.
• Assess and exploit vulnerabilities in authentication and authorisation mechanisms, business logic, APIs, and data handling processes.
• Test multi-tenant platform boundaries to identify cross-tenant data access paths, context confusion, and shared-resource leakage.
• Assess AI and agentic system components, including prompt injection, tool-call abuse, agent privilege escalation, model output manipulation, and MCP/orchestration layer attack surfaces.

Security Control Validation & Remediation

• Independently validate the effectiveness of security controls implemented by engineering and platform teams, providing evidence-based assessments rather than checklist verdicts.
• Re-test remediated vulnerabilities to confirm fixes are effective and do not introduce new risks.
• Conduct adversarial reviews of proposed security architectures and AI/agentic system designs to identify potential bypasses, trust boundary violations, or design gaps.
• Challenge security assumptions through realistic attack simulations and communicate the business impact of exploitable gaps clearly.

Vulnerability Assessment & Research

• Perform application security assessments using structured methodologies including the OWASP Testing Guide, PTES, and emerging guidance for AI/LLM systems such as the OWASP Top 10 for LLMs.
• Assess AWS and cloud infrastructure through configuration review, privilege analysis, network exposure mapping, and detection gap identification.
• Assess data layer security including database access controls, ORM injection paths, data-tier privilege abuse, and financial data exfiltration routes.
• Evaluate secrets management practices across repositories, environment configurations, serverless functions, and managed secrets services.
• Research emerging attack techniques relevant to the ES technology stack and develop proof-of-concept exploits where appropriate.
• Contribute to the vulnerability management lifecycle with accurate risk ratings, regulatory exposure context, and practical remediation guidance.

Purple Team Collaboration

• Partner with Security Operations and Detection Engineering during purple team exercises to evaluate detection coverage and alert quality, producing ATT&CK coverage mapping and detection gap analysis as standard outputs.
• Develop and share attack playbooks, indicators of compromise (IOCs), and detection recommendations informed by red team findings.
• Identify and communicate logging and monitoring gaps uncovered during engagements, with specific attention to agentic workflow and API observability blind spots.

Reporting & Communication

• Produce clear, professional assessment reports documenting attack narratives, findings, supporting evidence, risk ratings, and remediation recommendations – framed in terms of regulatory exposure where relevant (SOC 2, MiFID II, DORA).
• Communicate findings effectively to both technical audiences (developers, engineers) and non-technical stakeholders (management, risk owners).
• Maintain engagement and findings tracking; contribute to security metrics and risk reporting dashboards.
• Present results in debrief sessions in a constructive, collaborative manner focused on risk reduction rather than fault.

Tooling & Continuous Improvement

• Maintain and enhance the red team toolset including custom scripts, automation, and exploitation tooling aligned to the ES technology environment and threat model.
• Develop internal tooling where commercial or open-source tools do not adequately cover ES-specific attack surfaces, particularly around agentic and multi-tenant systems.
• Stay current on offensive security research, CVE disclosures, cloud provider security updates, and AI/LLM attack research.
• Document methodologies, playbooks, and lessons learned to support programme maturity and knowledge transfer.

Technical Expertise

• 10+ years of hands-on experience in penetration testing, red teaming, or offensive security roles, with a track record of conducting full-scope assessments against complex, production systems.
• Demonstrated experience with application security testing including web applications, REST and GraphQL APIs, authentication and authorisation flows, and common vulnerability classes.
• Proven experience performing AWS cloud security assessments and exploiting cloud-specific attack paths including IAM, EC2, Lambda, S3, and ECS/EKS.
• Experience testing multi-tenant systems, with the ability to identify and exploit tenant isolation failures, context confusion, and shared-resource leakage.
• Practical experience assessing AI and agentic system security, including prompt injection, tool-call abuse, agent privilege escalation, and orchestration layer vulnerabilities. Familiarity with OWASP Top 10 for LLMs and emerging adversarial AI frameworks.
• Experience assessing data layer security including database access controls, ORM injection paths, and data exfiltration techniques relevant to financial services environments.
• Experience assessing secrets management posture across repositories, CI/CD pipelines, environment configurations, and managed secrets services.
• Experience conducting threat modelling using STRIDE or comparable methodologies, including for AI/agentic system components.
• Proficiency in at least one scripting or programming language (Python, Go, Bash, or PowerShell) sufficient to develop tooling, automate assessments, and understand application code under review.
• Strong understanding of networking fundamentals: TCP/IP, DNS, TLS, and HTTP/S.
• Strong understanding of Active Directory and associated identity-based attack techniques.
• Experience assessing CI/CD platforms and identifying pipeline security weaknesses including supply chain and secrets exposure vectors.
• Working knowledge of offensive security tools including Burp Suite, Metasploit, BloodHound, Nmap, Nuclei, and cloud-specific tooling such as Pacu, ScoutSuite, and Prowler.
• Familiarity with defensive technologies including WAFs, EDR, SIEM platforms, and cloud-native security controls, sufficient to reason about detection gaps and evasion.
• Ability to produce high-quality assessment reports that clearly articulate technical findings, business impact, and regulatory exposure to both engineering and senior business audiences.

Offensive Security Expertise

• Experience with container attack techniques including RBAC abuse, privilege escalation, secrets extraction, and container escape.
• Familiarity with software supply chain and CI/CD attack vectors such as dependency confusion and artifact signing bypass.
• Experience with OAuth 2.0 and OpenID Connect attack scenarios including token misuse, redirect abuse, and scope escalation.
• Knowledge of serverless and cloud-native architectures and their associated attack surfaces.
• Experience developing or extending offensive security tooling including custom payloads and evasion techniques.
• Familiarity with API gateway and service mesh attack surfaces, including mTLS bypass and fine-grained authorisation abuse.

Programme & Collaboration Experience

• Experience operating within a structured red team programme including scoping, rules of engagement, and deconfliction.
• Familiarity with MITRE ATT&CK (Enterprise and Cloud) for engagement planning, reporting, and detection gap analysis (e.g. ATT&CK Navigator, DETT&CT).
• Experience conducting purple team exercises in collaboration with detection and response teams.
• Ability to translate technical findings into clear business risk and regulatory exposure narratives for leadership and risk stakeholders.
• Experience in regulated financial services environments, with an understanding of how SOC 2, MiFID II, DORA, or equivalent obligations shape risk framing and remediation prioritisation.

Professional Attributes

• Strong ethical standards and professionalism when working with sensitive systems and financial data.
• Ability to operate independently and manage multiple concurrent engagements with rigour and discipline.
• Collaborative mindset with the ability to build and maintain strong working relationships with engineering, product, and risk teams.
• Intellectually curious and self-directing; stays ahead of the threat landscape and brings new techniques into the programme proactively.

About S&P Global Market Intelligence

At S&P Global Market Intelligence, a division of S&P Global we understand the importance of accurate, deep and insightful information. Our team of experts delivers unrivaled insights and leading data and technology solutions, partnering with customers to expand their perspective, operate with confidence, and make decisions with conviction.

For more information, visit www.spglobal.com/marketintelligence.

What’s In It For You?

Our Mission:

Advancing Essential Intelligence.

Our People:

We're more than 35,000 strong worldwide—so we're able to understand nuances while having a broad perspective. Our team is driven by curiosity and a shared belief that Essential Intelligence can help build a more prosperous future for us all.From finding new ways to measure sustainability to analyzing energy transition across the supply chain to building workflow solutions that make it easy to tap into insight and apply it. We are changing the way people see things and empowering them to make an impact on the world we live in. We’re committed to a more equitable future and to helping our customers find new, sustainable ways of doing business. Join us and help create the critical insights that truly make a difference.

Our Values:

Integrity, Discovery, Partnership

Throughout our history, the world's leading organizations have relied on us for the Essential Intelligence they need to make confident decisions about the road ahead. We start with a foundation of integrity in all we do, bring a spirit of discovery to our work, and collaborate in close partnership with each other and our customers to achieve shared goals.

Benefits:

We take care of you, so you can take care of business. We care about our people. That’s why we provide everything you—and your career—need to thrive at S&P Global.

Our benefits include: 

• Health & Wellness: Health care coverage designed for the mind and body.

• Flexible Downtime: Generous time off helps keep you energized for your time on.

• Continuous Learning: Access a wealth of resources to grow your career and learn valuable new skills.

• Invest in Your Future: Secure your financial future through competitive pay, retirement planning, a continuing education program with a company-matched student loan contribution, and financial wellness programs.

• Family Friendly Perks: It’s not just about you. S&P Global has perks for your partners and little ones, too, with some best-in class benefits for families.

• Beyond the Basics: From retail discounts to referral incentive awards—small perks can make a big difference.

For more information on benefits by country visit: https://spgbenefits.com/benefit-summaries

Global Hiring and Opportunity at S&P Global:

At S&P Global, we are committed to fostering a connected and engaged workplace where all individuals have access to opportunities based on their skills, experience, and contributions. Our hiring practices emphasize fairness, transparency, and merit, ensuring that we attract and retain top talent. By valuing different perspectives and promoting a culture of respect and collaboration, we drive innovation and power global markets.

Recruitment Fraud Alert:

If you receive an email from a spglobalind.com domain or any other regionally based domains, it is a scam and should be reported to reportfraud@spglobal.com. S&P Global never requires any candidate to pay money for job applications, interviews, offer letters, “pre-employment training” or for equipment/delivery of equipment. Stay informed and protect yourself from recruitment fraud by reviewing our guidelines, fraudulent domains, and how to report suspicious activity here.

-----------------------------------------------------------

Equal Opportunity Employer

S&P Global is an equal opportunity employer and all qualified candidates will receive consideration for employment without regard to race/ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, marital status, military veteran status, unemployment status, or any other status protected by law.  Only electronic job submissions will be considered for employment.  

 

If you need an accommodation during the application process due to a disability, please send an email to: EEO.Compliance@spglobal.com and your request will be forwarded to the appropriate person.  
 
US Candidates Only: Know Your Rights: Workplace discrimination is illegal

-----------------------------------------------------------

103 - Middle Management (EEO Job Group) (inactive), 10 - Officials or Managers (EEO-2 Job Categories-United States of America), IFTECH103.2 - Middle Management Tier II (EEO Job Group)