6 Things We Learned While Onboarding a Security Engineer

Dominik Bermühler and Gregory Weibell · March 16, 2023 · 9 min read

Share on linkedinShare on facebookShare on twitterShare on reddit


Hello, World! This is Dominik and Gregory from the Security Engineering team here at AutoScout24. We’re excited to share some of our recent insights with you in this blog post. Gregory recently went through the onboarding process, supported by his onboarding buddy Dominik, and in reflecting on his journey, we identified several key principles that were crucial in making his experience a success. As a result, we want to share these principles with you in the hope that they will help you in similar situations, wether as a new joiner, their buddy, or as someone involved in another way. Let’s get started!

Principle 1: Create a clear onboarding roadmap

The first few weeks after joining a new company are usually quite intense. There are so many new people, programming languages, tools, processes and systems to learn about and how they relate to each other. This can leave new joiners feeling lost in in a jungle of new information.

A well-structured onboarding roadmap can ease this transition. This roadmap should be broken down into smaller chunks or tasks, each with a clear focus, that can then be completed on step-by-step. Tasks can be of various formats, for example:

  • A team member could present a tool they use in their day-to-day work.
  • An introduction meeting with an important team or person that our team interacts with.
  • Practical exercises to try out and reflect on previously learned skills.

The onboarding buddy should prioritize and order these tasks dynamically, allowing the new joiner to build up their knowledge incrementally and efficiently without being overwhelmed by the sheer amount of new information.

We have found that by using a roadmap with predefined (rather than ad-hoc) on onboarding tasks has several advantages:

  • It provides a timeframe for staying focused – a vision, so to speak, for how deep to go into a certain area.
  • It gives guidance on what to learn first.
  • Apart from being motivating, ticking off a task as “completed” makes the new joiner’s progress transparent, both to themselves as well as to the team.
  • A Definition of Done for each task additionally communicates clear goals for each task.

The “Definition of Done” items not only provide the new joiner with a clear checklist to go through when working on an onboarding task, they also help team members supporting with onboarding sessions but who may not be familiar with the exact contents or goals of a task to clearly understand the onboarding buddy’s intention, who has a bigger picture in mind. This reduces the risk of content being skipped or repeated, causing gaps or overlaps.

Principle 2: Leave room for personal exploration

While it might be tempting to fill your new colleague’s calendar with as many onboarding sessions as possible, this approach will not get them onboarded any faster. On the one hand, introductory sessions are helpful and important, for example to learn about specific tools used within the team. On the other hand, it is also important to give the new joiner time alone to explore and to fully understand new information, perhaps even to dive deeper into areas they are especially interested in. We therefore recommend allowing the new joiner to set aside ample time between sessions to gain hands-on experience and to reflect on how this new knowledge relates to previously discussed topics.

For example, what worked well for the two of us was to schedule onboarding presentations in the morning and then allow time for exploration in the afternoon. For example, explaining how AWS CDK is used at AutoScout24 was scheduled in the morning and having Gregory work on the CDK Workshop in the afternoon proved to be an effective way to reinforce the learned knowledge.

Ideally, these practical onboarding tasks should not only provide an opportunity to gain practical experience, but also provide value to the team. For instance, after discussing how we use Steampipe in our daily work to retrieve information about resources in our AWS infrastructure, Gregory put it into practice by, for example, double-checking that there weren’t any access keys that hadn’t been rotated recently. We applied the same principle to other common tasks, such as working with our project template, becoming familiar with our documentation and making use of our tech stack.

Principle 3: Create a space for all kinds of questions

As a new joiner you naturally have a lot of questions: How do I get access to our AWS account? Whom can I contact in case of technical problems with my laptop? What projects are we currently working on? Some questions might even seem benign or awkward, so you might hesitate to ask, perhaps due to fear of judgement. In any case, it is helpful if the onboarding buddy create a positive and open atmosphere to encourage questions and to support where possible.

A communicative team and a generally open communication culture across the organization is a great benefit. As a new joiner, there are multiple ways to get to know and reach out to others and to find support:

  • Since most of our text-based communication at AutoScout24 occurs over Slack, it is possible and acceptable to reach out to others by directly messaging them.
  • In our team’s daily video call, we align and discuss current topics, allowing team members to “tag along” for specific tasks (e.g., pair programming)
  • Team members are open for questions throughout the day, often resulting in ad-hoc calls to discuss tasks and possible solutions.
  • The onboarding buddy arranged for additional, daily one-on-one calls for open questions, to see how things are going, to reflect on where we were on the onboarding roadmap and whether there were any blockers.
  • The manager has an open-door policy and regularly checks up on one’s well-being and occasionally delegates tasks to the new joiner to get him up to be involved in various aspects of the team’s daily work.

Overall, such communication tools, opportunities and patters create an environment in which new joiners always have people to reach out to and to find support when needed.

Principle 4: Teach the “unspoken” team rules

Teams often have “unspoken” or implicit rules or processes that have evolved organically over time, without being explicitly communicated or formalized. These can be about simple questions like “What Jira templates do we usually use?” or touch on more complex topics, such as patterns and policies for fulfilling our role and responsibility in the company. Having an understanding of and being cautious about those unwritten rules, big or small, is often crucial for making independent decisions in your day-to-day work.

Such rules, conventions or practices often exists in the collective consciousness of the team. Due to the fact, that this team culture or rules evolved organically and are usually not written down, different perceptions of it can exist within the team. Therefore, it may be helpful to gather different perspectives from the team to align everyone’s understanding.

New joiners have an unbiased view of the team, making it an ideal task for them to collect those different perspectives, primarily because:

  • They get to interact with every team member.
  • They learn about different perceptions of the team’s culture.
  • They can take notes on what they have learned and, in case of diverging perceptions, initiate a discussion to align everyone’s understanding.

Principle 5: Involve the whole team in the onboarding process

It is important to remember that as an onboarding buddy, you don’t have to bear the entire workload and responsibility of successfully onboarding the new joiner on your own. In fact, it can be beneficial to involve other team members in the process. By distributing the workload among team members, you can not only lighten your own load, but also give the new joiner the opportunity to get to know more people within the team.

Consider having many one-on-one sessions between the new joiner and other team members to cover specific topics or tools. This not only helps distribute the workload, but also allows the new joiner to get more in-depth knowledge on certain topics from those who are experts in the area.

By encouraging the new joiner to get in touch with every team member, it gives them a chance to build relationships and to get a better understanding of the team dynamic. Overall, involving the rest of the team in the onboarding process does not only help distribute the workload, but also creates a more inclusive onboarding experience for the new joiner.

Principle 6: Learn the tricks of the trade by observing your team members

In our area of work, it has become increasingly important to “look over a colleague’s shoulder” not in a physical but in a digital sense, with screen sharing being part of common video call solutions. This creates a great environment for a new joiner to tag along a skilled coworker who shares their screen and to use this as a learning opportunity to observe common actions and shortcuts.

In our case, pair programming works well for working together on our set of tools such as security scanners. By working together with a colleague, they can learn new skills, ask questions and get feedback in real-time. Moreover, they can observe how their colleagues solve issues and can learn from their expertise. Another common theme where this works well is incident response situations, which are a good opportunity for a new joiner to learn about security tools and the runbooks that we use to handle specific situations, being exposed to real-world security threats and learning how to deal with them.

Therefore, do not hesitate to include new joiners in routine, perhaps seemingly mundane tasks, since these can still be valuable learning opportunities and spark new conversations.


In summary, onboarding is a critical process for any new joiner, and it requires careful planning and execution. To make the process smooth and effective, it is essential that the assigned onboarding buddy prepares a well-defined onboarding plan and yet is open to make slight adjustments along the way. It is important to leave room for personal exploration and to involve new joiners in daily activities. By taking these steps, companies can ensure that new joiners have a positive experience and can contribute to the team’s success early on.

Remember, onboarding is a journey, not just a one-time event, and it is up to the new joiner, the onboarding buddy, the manager and the team to make it a success!

Share on linkedinShare on facebookShare on twitterShare on reddit

About the authors

Dominik Bermühler

Dominik is a Security Engineer at AutoScout24 and has extensive experience in AWS cloud security, software engineering, devops, and application security. He is passionate about developing customer-centric, security products written in clean code.

Connect on Linkedin

Gregory Weibell

Gregory is a Security Engineer. As an OSCP-certified security professional, he is passionate about detecting, responding to, and protecting against cyberthreats. He has multiple years of experience in software engineering in developer, support engineering, and facilitator roles.

Connect on Linkedin

Discover more articles like this:


Over 170 engineers

60+liters of coffeeper week
5+office dogs
8minmedian build time
1.1daysmedianlead time
So many deployments per day
1000+ Github Repositories

AutoScout24: the largest pan-European online car market.

© Copyright by AutoScout24 GmbH. All Rights reserved.