Information Security Analyst I (PenTester)

About the role

Tabby is a fintech company focused on giving people greater control over how they spend, earn, and save. More than 15 million users rely on the platform to manage money more flexibly, and over 40,000 global brands and smaller businesses — including Amazon, Noon, IKEA, and SHEIN — use Tabby to support growth through interest-free, fee-free payment options online and in stores. Since launching in 2019, Tabby has become one of the fastest-growing and most highly rated fintechs in the GCC, processing more than $10 billion in annual transaction volume and securing over $1 billion in equity and debt funding, with a valuation of $4.5 billion.

This position is an early-career entry point into offensive security within the InfoSec Monitoring function in KSA. The role is designed to build practical exposure to industry practices, including OWASP Top 10, MITRE ATT&CK, and related offensive security methods, while helping the team verify and improve the organization’s security posture before threats can exploit weaknesses.

What you will do

• Support senior security engineers with penetration testing across web applications, APIs, and network infrastructure by carrying out assigned test cases and clearly recording the results.
• Assist with vulnerability assessments using automated tools such as Nmap and other scanners, then confirm outputs through basic manual validation when needed.
• Take part in red team activities in a supporting capacity, learning how adversary simulation is planned and executed within approved scenarios.
• Help run controlled offensive security exercises, which may include executing scripts, preparing test environments, and supporting phishing simulation tasks under direction.
• Contribute to the discovery, documentation, and tracking of vulnerabilities throughout the assessment and remediation process.
• Build and maintain simple scripts and utilities that help automate offensive security tasks.
• Analyze findings by noting reproduction steps, evidence, and early severity indicators for senior review.
• Compile penetration test reports by organizing screenshots, tool outputs, and findings into structured templates.
• Monitor vulnerability status and remediation progress, keeping records accurate in tracking systems.
• Re-test systems after fixes are confirmed to help validate that issues have been resolved.
• Observe purple team exercises and support detection and incident response learning.
• Provide basic assistance with log collection and organization during active security incidents.
• Keep offensive security documentation current, including tools, tactics, and methods used by the team.
• Support compliance-focused testing by executing predefined checks for regulatory controls such as SAMA CSF and PCI-DSS.
• Continue building technical depth through self-driven study of offensive security techniques, new vulnerabilities, and attack paths.
• Help prepare technical examples and real-world findings for the security awareness program.

What we are looking for

• A bachelor’s degree in Information Technology, Computer Science, Software Engineering, Cybersecurity, or a related discipline.
• Working knowledge of common vulnerabilities and attack patterns, including OWASP Top 10, CVEs, and frequent misconfigurations.
• Basic understanding of networking protocols such as TCP/IP, DNS, HTTP/S, FTP, and SMB, along with how attackers may misuse them.
• Hands-on exposure to at least one relevant security tool category, such as port scanners, web proxies, or vulnerability scanners.
• Foundational scripting or programming ability in Python, Bash, or PowerShell for automation tasks.
• Basic familiarity with both Windows and Linux operating system internals.
• Awareness of the MITRE ATT&CK framework and adversary behavior mapping.
• Exposure to cloud environments such as AWS, Azure, or GCP is considered beneficial.

Additional information

Department: InfoSec Monitoring. Location: KSA.