Cyber & AI Security Engineer

Job Description – Cyber & AI Security Engineer
Job Details
• Job title: Cyber and AI Security Engineer (ARYADA) 
• Reports to (job): Senior Cloud Engineering Manager 
• Team: Mobile DDOPs – Cloud & MLOps Engineering 
• Location: London, UK 
• Hours: 37.5 
• Career Level: D 

Why BT Group?
BT Group was the world’s first telco and our heritage in the sector is unrivalled. As home to several of the UK’s most recognised and cherished brands – BT, EE, Openreach and Plusnet, we have always played a critical role in creating the future, and we have reached an inflection point in the transformation of our business. 

Over the next two years, we will complete the UK’s largest and most successful digital infrastructure project – connecting more than 25 million premises to full fibre broadband. Together with our heavy investment in 5G, we play a central role in revolutionising how people connect with each other. 

While we are through the most capital-intensive phase of our fibre investment, meaning we can reward our shareholders for their commitment and patience, we are absolutely focused on how we organise ourselves in the best way to serve our customers in the years to come. This includes radical simplification of systems, structures, and processes on a huge scale. Together with our application of AI and technology, we are on a path to creating the UK’s best telco, reimagining the customer experience and relationship with one of this country’s biggest infrastructure companies. 

Change on the scale we will all experience in the coming years is unprecedented. BT Group is committed to being the driving force behind improving connectivity for millions and there has never been a more exciting time to join a company and leadership team with the skills, experience, creativity, and passion to take this company into a new era. 

Why this job matters
We are seeking an AWS Cloud & AI Security Engineer to design, implement, and operate security controls across AWS cloud platforms, AI/ML workloads, and Generative AI (GenAI) services. The role has a strong focus on threat detection and response, with particular emphasis on Amazon GuardDuty, Inspector and its integration into enterprisescale security operations. 

You will work closely with platform, MLOps, data science, and security teams to embed securitybydesign, automate detection and response, and ensure AI systems are protected against evolving cloud and AIspecific threats. 

What you’ll be doing – your accountabilities
• Secure AI/ML platforms using AWS SageMaker and Amazon Bedrock, covering notebooks, pipelines, endpoints, and inference workflows. 
• Implement security controls for training and inference data isolation, protection of model artefacts/container images, and secure GenAI endpoints/RAG data sources. 
• Monitor and respond to GuardDuty and Cloudtrail findings related to IAM credential compromise, EC2/EKS threats, S3 access anomalies, and cryptomining. 
• Integrate GuardDuty with Security Hub, CloudWatch, and SIEM platforms; tune findings and suppress false positives. 
• Develop automated response playbooks using Lambda and Step Functions. 
• Lead incident response activities, containment, and rootcause analysis. 
• Contribute to threat modelling exercises for cloud, ML, and GenAI architecture. 
• Feed lessons learned back into detection rules and preventative controls. 
• Support compliance with internal security baselines and external regulatory requirements. 
• Define and enforce controls governing how context, prompts, tools, plugins, and external data sources are exposed to AI models. 
• Work with MLOps teams to ensure MCP implementations follow least-privilege and data minimisation principles. 
• Maintain awareness of emerging Gen AI attack vectors such as context/prompt injection and data leakage. 
• Integrate AWS WAF with API Gateway to protect against common web and API-specific attack patterns. 
• Support alerting and investigation of suspicious API behaviour, including excessive token usage or unauthorised endpoint access. 

The skills you’ll need to succeed
• Deep expertise in IAM, VPC security, encryption, and network segmentation. 
• Proven hands-on experience with Amazon GuardDuty in production environments. 
• Ability to tune and optimise GuardDuty to reduce noise and improve detection accuracy. 
• Familiarity with SageMaker security constructs, Bedrock access controls, and EKS runtime security. 
• Experience working in automation-driven, IaC-based environments. 
• Understanding of data protection, privacy, and model lifecycle risks. 
• Understanding of Model Context Protocols (MCPs) or equivalent patterns used in GenAI systems. 
• Experience defining security controls for agent-based or tool-driven GenAI systems. 
• Hands-on experience securing Amazon API Gateway and familiarity with WAF protections. 
• Experience integrating API Gateway with Lambda, SageMaker, and Bedrock-backed services. 
• Experience with continuous vulnerability management using Amazon Inspector (EC2, ECR, Lambda). 
• Ability to define standards for secure AI APIs, including GenAI, MCPs, and agent-based systems. 
• Sound understanding of OAuth 2.0/OpenID connect integrations and mTLS. 

Leadership accountabilities
• Solution Focused Achiever
: Deliver ambitious goals and cut through complexity to get to the right ethical solution. 
• Change Agent
: Identify, create, and lead smooth business changes; adapt quickly to ambiguity. 
• Team Coach
: Coach and develop your people. 
• Decision Making
: Gather information, analyse scenarios, and reach decisions. 

Experience you’d be expected to have
• Degree in Computer Science/Engineering (or equivalent practical experience leading production cloud/ML platforms). 
• AWS certifications strongly preferred – AWS Security Speciality. 
• Strong understanding of API authentication, authorisation, throttling, and abuse prevention. 
• Familiarity with GenAI interaction standards, orchestration layers, or AI gateways. 
• Hands-on delivery experience with Amazon Bedrock to run agentic apps safely and build observability around them. 

Key decisions & Compliance
• Key Decisions
: If the job has key decision rights, list these here (see RAPID guidance). 
• Being trusted: Our code
: Compliance with all BT Group policies is mandatory for all employees. Policies are accessible via the Policy Portal and should be adhered to in-line with Standards of Behaviour and "Being trusted: our code.