Our goal

To be the dominant digital-first wealth and asset management partner for the underserved African middle class and fast-growing African businesses. We empower over 3 million customers to build a savings and investment culture across different asset classes. Our customer base continues to expand and we are committed to ensuring that every interaction with our platform provides the best experience possible.

The role

We need a generalist security engineer. Someone who can write a risk assessment in the morning run a pen test after lunch review code for vulnerabilities and help prepare for an audit the next day. Not a narrow specialist. Someone whos good across board and energized by variety.

Youll work with our engineering product risk and legal teams. Some days youre deep in code. Other days youre drafting a policy or reviewing a vendors security posture. This role is the kind that existed before security had its own department.

What youll do

AppSec

• Security code reviews and pen testing on web mobile and API
• Find triage and track vulnerabilities through to remediation. Own the full lifecycle
• SAST DAST SCA tooling in CI/CD
• Threat modelling for new features and architecture changes
• Review auth flows for weaknesses

Secure development

• Champion security practices across engineering. Be a partner not a gatekeeper
• Maintain secure coding standards for our stack
• Run security awareness sessions. Practical not preachy
• Review security-sensitive PRs

Infrastructure & APIs

• Assess and harden REST and third-party API integrations (payment gateways partner APIs)
• Review cloud configs (AWS/GCP) for misconfigurations
• Security requirements for new infrastructure and vendor decisions
• Periodic cloud and network security assessments

Fraud detection

• Build tune and maintain our internal fraud detection: rules signals detection logic
• Analyze transaction patterns and behavioural signals to spot anomalies
• Build automation that reduces manual triage work
• Work with product to embed fraud controls before features ship
• Investigate fraud incidents end-to-end
• Track fraud trends in African fintech and feed that back into detection

GRC

• Maintain security policies standards and procedures
• Support audits: evidence gathering gap remediation ISO 27001 PCI DSS SOC 2 CBN guidelines
• Vendor security risk assessments
• Own the risk register
• Security awareness training across the org not just engineering
• Incident response: investigation containment root cause post mortems
• Triage bug bounty and external vulnerability reports

What were looking for

Required

• 3 years in security engineering or infosec with exposure across multiple domains
• Application security fundamentals: OWASP Top 10 common vulnerabilities how to find and fix them
• Pen testing or vulnerability assessments (web API or mobile)
• GRC basics: risk assessments policies audit evidence compliance frameworks (ISO 27001 PCI DSS or similar)
• Vulnerability management: tracking prioritizing driving remediation
• Fraud detection transaction monitoring or trust & safety experience
• Clear writing. Vulnerability reports and policy documents with equal confidence.
• Able to collaborate across teams and drive alignment.

Nice to have

• Fintech payments or regulated financial services
• Cloud security: AWS or GCP config reviews IAM auditing storage misconfigs
• Mobile app security (iOS/Android OWASP MASVS)
• Scripting (Python Bash)
• Certs: CEH OSCP CompTIA Security CompTIA CySA ISO 27001 Lead Implementer
• Fraud rules engines anomaly detection behavioral analytics
• CBN cybersecurity frameworks and Nigerian fintech regulations

The people who succeed on this team:

• Genuinely curious across all of security
• Dont need a narrow lane. Variety is energizing not overwhelming
• Builders. Want to fix and improve not just document and report
• Comfortable with ambiguity. Were still defining what good looks like and youll help shape it
• Earn trust by being clear practical and genuinely helpful
• Care about the mission. Protecting peoples money isnt abstract.