Dear Hiring Manager,
I am applying to your graduate scheme on the security engineering track, newly graduated and keen to learn how to reduce real risk rather than just name vulnerabilities. I know a scheme weighs how teachable I am as much as what I can do today, so I want to pair a concrete project with a clear willingness to be guided. My strongest example is a university project where I triaged dependency risk in a small app, improved how it handled secrets, and added a simple check that caught an unsafe configuration before release.
A graduate security hire has to be coachable and quick to become useful, and I have tried to practise the judgement side, not just the tooling. The scheme asks for application security judgement, vulnerability triage, a feel for identity controls, and the ability to help developers rather than block them, and my project work leaned into exactly that balance. I am not overstating my depth, I am showing that I already think about likelihood and impact, not only the scary headline.
That project touched dependency scanning, basic threat modelling, and a small bit of Python, but the part I would want to discuss is the trade-off I made. I weighed the risk against how much friction the check added for the rest of the team, then built something light enough that people would actually keep it on. Learning to make that call well is the main thing I want from the scheme.
I would be glad to talk through the project, the risk I prioritised, and what I would most want to learn first. Security teams value engineers who reduce real risk without turning every review into a blocker, so I will be honest about my level and clear about where I want to grow.
Yours sincerely, Alex Morgan