About the company
Tabby builds financial products used by millions of users across the GCC. We work on high-load, security-critical systems with strict regulatory requirements. The Information Security function protects Tabby across mobile apps, backend services, payment integrations, and cloud infrastructure.
This internship is not educational by default. It is an engineering role with real responsibility.
Context
Information Security at Tabby covers two complementary tracks:
- Vulnerability Assessment & Penetration Testing (VAPT) — application security testing, security architecture reviews, threat modelling, secure code review, vulnerability triage, and incident response.
- Governance, Risk & Compliance (GRC) — policy and control frameworks, compliance program support (PCI DSS, ISO 27001, SAMA), risk assessments, audit support, vendor security reviews, and security awareness.
The team works closely with product engineering, risk engineering, and platform / SRE.
The internship is designed for strong early-career engineers who want to grow as security practitioners. Candidates apply once — during interviews we match each candidate to the track that fits best. Interns are embedded with the security team, work on real assessments and remediation or compliance tasks under senior review, and are expected to meet engineering standards from day one.
What you will do
This is not a helper or shadow-only role. Interns work on real production tasks under senior review.
On the VAPT track:
- Triage findings from SAST, DAST, SCA, and dependency scanners across mobile and backend repos
- Reproduce and document vulnerabilities; write clear remediation tickets for product teams
- Contribute to secure code reviews on selected merge requests (auth, input validation, data handling)
- Participate in threat-modelling sessions for new features and produce write-ups
- Run scoped assessments against staging environments under senior sign-off
- Help maintain security tooling: scanner configs, baseline rules, dashboards, false-positive triage queues
- Help with security checks during release cycles
- Contribute to DevSecOps — security gates in CI/CD pipelines, dependency and container image scanning
- Exposure to logging, monitoring, and alert triage workflows alongside the SOC
- Participate in incident response exercises and post-mortems alongside senior engineers
On the GRC track:
- Support compliance programs against frameworks like PCI DSS, ISO 27001, and SAMA — evidence collection, control mapping, gap analysis
- Help maintain security policies, standards, and procedures across domains — access control, cryptography, asset management, change management, third-party security, vulnerability management, awareness and training — track owners and review cycles
- Contribute to risk assessments — risk registers, control testing, treatment plans
- Support vendor and third-party security assessments
- Help prepare for internal and external audits — workpapers, evidence packages, response coordination
- Contribute to security awareness content, training rollouts, and metrics tracking
- Work alongside engineering teams to translate policy requirements into concrete technical controls
On both tracks:
- Work with risk and platform engineers on PII handling, secrets management, and encryption reviews
- Contribute to the internal security knowledge base (runbooks, playbooks, awareness content)
Required
- Solid understanding of information security fundamentals: confidentiality, integrity, availability; common attack categories (OWASP Top 10) and common control categories
- Understanding of HTTP, TLS, DNS, and TCP/IP fundamentals
- Understanding of authentication and authorization patterns (sessions, cookies, OAuth 2.0, JWT)
- Familiarity with Linux command line and POSIX-like environments
- Ability to read technical material and explain it clearly in writing
- Experience with Git and standard development workflows
- Strong ethical mindset and discretion — security findings and compliance evidence are sensitive by default, non-disclosure outside the team is non-negotiable
- Open to constructive feedback
- English sufficient for documentation and team communication
Strong plus
For the VAPT track:
- Working knowledge of a programming language (Python or Go preferred)
- CTF participation (Hack The Box, TryHackMe, picoCTF, SAFCSP CTFs) with documented solves or write-ups
- Hands-on experience with Burp Suite Community, OWASP ZAP, or similar interception proxies
- Familiarity with vulnerability scanners (Nessus, OpenVAS, Trivy, Grype) or SAST/SCA tools (Semgrep, CodeQL, Snyk)
- Familiarity with mobile app security basics (iOS / Android — certificate pinning, secure storage, deep-link risks)
- Exposure to container and orchestration security (Docker, Kubernetes — image scanning, RBAC)
- Bug bounty submissions on any public program (HackerOne, Bugcrowd, Intigriti)
- Familiarity with DevSecOps tooling — CI/CD security gates, IaC scanning, container image scanning
- Exposure to SIEM or SOC tooling — log analysis, alert triage
- Basic knowledge of SQL and how queries can be abused
- Familiarity with cryptography fundamentals (symmetric vs asymmetric, hashing, signing — conceptual)
For the GRC track:
- Exposure to security frameworks: PCI DSS, ISO 27001, NIST CSF, or SAMA CSF
- Awareness of risk management concepts — likelihood, impact, residual risk, control effectiveness
- Comfort with structured documentation: writing clear policies, procedures, evidence narratives
- Familiarity with audit basics — sampling, control testing, evidence collection
- Awareness of GDPR or other privacy regulations
- Exposure to GRC tooling (Vanta, Drata, OneTrust, or similar)
For both tracks:
- Understanding of cloud security basics on GCP (IAM, VPC isolation, secrets, KMS)
- Interest in security automation and security platform engineering
What we do not expect
- Prior professional information security experience
- Mastery of all listed tools and frameworks
- Ability to perform independent penetration tests on production systems
- Deep cryptography, reverse-engineering, or compliance-framework expertise
- Existing certifications (OSCP, CEH, Security+, CISA, CISM, CRISC) — welcome but not required
Eligibility
- Saudi nationals only
- Self-funded internship by Tabby
- We welcome both current students and fresh grads
- We expect a full-time level of engagement throughout the internship. The program is not part-time: interns should be ready to contribute at a full working-day pace. We understand that students may occasionally need flexibility for classes or exams, which can be aligned with the mentor in advance, but overall performance, ownership, and context involvement are expected at a full-time level.