Information Security Intern
Department: InfoSec GRC
Employment Type: Internship
Location: KSA
Description
Tabby builds financial products used by millions of users across the GCC. We work on high-load, security-critical systems with strict regulatory requirements. The Information Security function protects Tabby across mobile apps, backend services, payment integrations, and cloud infrastructure.
This internship is not educational by default. It is an engineering role with real responsibility.
Information Security at Tabby covers two complementary tracks:
Vulnerability Assessment & Penetration Testing (VAPT) — application security testing, security architecture reviews, threat modelling, secure code review, vulnerability triage, and incident response.
Governance, Risk & Compliance (GRC) — policy and control frameworks, compliance program support (PCI DSS, ISO 27001, SAMA), risk assessments, audit support, vendor security reviews, and security awareness.
The team works closely with product engineering, risk engineering, and platform / SRE.
The internship is designed for strong early-career engineers who want to grow as security practitioners. Candidates apply once — during interviews we match each candidate to the track that fits best. Interns are embedded with the security team, work on real assessments and remediation or compliance tasks under senior review, and are expected to meet engineering standards from day one.
Key Responsibilities
This is not a helper or shadow-only role. Interns work on real production tasks under senior review.
On the VAPT track:
Triage findings from SAST, DAST, SCA, and dependency scanners across mobile and backend repos
Reproduce and document vulnerabilities; write clear remediation tickets for product teams
Contribute to secure code reviews on selected merge requests (auth, input validation, data handling)
Participate in threat-modelling sessions for new features and produce write-ups
Run scoped assessments against staging environments under senior sign-off
Help maintain security tooling: scanner configs, baseline rules, dashboards, false-positive triage queues
Help with security checks during release cycles
Contribute to DevSecOps — security gates in CI/CD pipelines, dependency and container image scanning
Exposure to logging, monitoring, and alert triage workflows alongside the SOC
Participate in incident response exercises and post-mortems alongside senior engineers
On the GRC track:
Support compliance programs against frameworks like PCI DSS, ISO 27001, and SAMA — evidence collection, control mapping, gap analysis
Help maintain security policies, standards, and procedures across domains — access control, cryptography, asset management, change management, third-party security, vulnerability management, awareness and training — track owners and review cycles
Contribute to risk assessments — risk registers, control testing, treatment plans
Support vendor and third-party security assessments
Help prepare for internal and external audits — workpapers, evidence packages, response coordination
Contribute to security awareness content, training rollouts, and metrics tracking
Work alongside engineering teams to translate policy requirements into concrete technical controls
On both tracks:
Work with risk and platform engineers on PII handling, secrets management, and encryption reviews
Contribute to the internal security knowledge base (runbooks, playbooks, awareness content)
Skills, Knowledge & Expertise
Solid understanding of information security fundamentals: confidentiality, integrity, availability; common attack categories (OWASP Top 10) and common control categories
Understanding of HTTP, TLS, DNS, and TCP/IP fundamentals
Understanding of authentication and authorization patterns (sessions, cookies, OAuth 2.0, JWT)
Familiarity with Linux command line and POSIX-like environments
Ability to read technical material and explain it clearly in writing
Experience with Git and standard development workflows
Strong ethical mindset and discretion — security findings and compliance evidence are sensitive by default, non-disclosure outside the team is non-negotiable
Open to constructive feedback
English sufficient for documentation and team communication
For the VAPT track:
Working knowledge of a programming language (Python or Go preferred)
CTF participation (Hack The Box, TryHackMe, picoCTF, SAFCSP CTFs) with documented solves or write-ups
Hands-on experience with Burp Suite Community, OWASP ZAP, or similar interception proxies
Familiarity with vulnerability scanners (Nessus, OpenVAS, Trivy, Grype) or SAST/SCA tools (Semgrep, CodeQL, Snyk)
Familiarity with mobile app security basics (iOS / Android — certificate pinning, secure storage, deep-link risks)
Exposure to container and orchestration security (Docker, Kubernetes — image scanning, RBAC)
Bug bounty submissions on any public program (HackerOne, Bugcrowd, Intigriti)
Familiarity with DevSecOps tooling — CI/CD security gates, IaC scanning, container image scanning
Exposure to SIEM or SOC tooling — log analysis, alert triage
Basic knowledge of SQL and how queries can be abused
Familiarity with cryptography fundamentals (symmetric vs asymmetric, hashing, signing — conceptual)
For the GRC track:
Exposure to security frameworks: PCI DSS, ISO 27001, NIST CSF, or SAMA CSF
Awareness of risk management concepts — likelihood, impact, residual risk, control effectiveness
Comfort with structured documentation: writing clear policies, procedures, evidence narratives
Familiarity with audit basics — sampling, control testing, evidence collection
Awareness of GDPR or other privacy regulations
Exposure to GRC tooling (Vanta, Drata, OneTrust, or similar)
For both tracks:
Understanding of cloud security basics on GCP (IAM, VPC isolation, secrets, KMS)
Interest in security automation and security platform engineering
Prior professional information security experience
Mastery of all listed tools and frameworks
Ability to perform independent penetration tests on production systems
Deep cryptography, reverse-engineering, or compliance-framework expertise
Existing certifications (OSCP, CEH, Security+, CISA, CISM, CRISC) — welcome but not required
Saudi nationals only
Self-funded internship by Tabby
We welcome both current students and fresh grads
We expect a full-time level of engagement throughout the internship. The program is not part-time: interns should be ready to contribute at a full working-day pace. We understand that students may occasionally need flexibility for classes or exams, which can be aligned with the mentor in advance, but overall performance, ownership, and context involvement are expected at a full-time level.
Format
Paid internship
Full integration into the Information Security team
Distributed engineering team across multiple countries
Open to Saudi nationals (Saudi passport required); location flexible — candidates may be based outside KSA
Office-first in Riyadh where possible
Clear path to a junior Information Security engineer role based on performance
This internship is intentionally demanding and designed for candidates aiming for fast professional growth in information security at a regulated fintech.