AstraZeneca SDE Onboarding and First 90 Days Tips 2026
TL;DR
AstraZeneca’s SDE onboarding is structured but slow, with real productivity starting only after day 45. The first 90 days test your ability to navigate bureaucracy, not code. Your success depends less on technical skill and more on your alignment with compliance-driven workflows and stakeholder mapping.
Who This Is For
You’re a new or incoming Software Development Engineer (SDE) at AstraZeneca, likely hired at L5–L6 (IC) or 7–8 (Senior IC), reporting into one of the AZ Digital hubs—Cambridge, Gaithersburg, or Mumbai. You have a background in cloud-native systems or enterprise SaaS, but limited pharma experience. This guide is for engineers who want to avoid 30-day stagnation and signal impact by week 10.
What does AstraZeneca SDE onboarding actually look like in practice?
Onboarding lasts 21 business days but delivers only 7 days of technical relevance. The rest is compliance, GxP training, and HR policy immersion. In Q1 2025, a hiring manager in Gaithersburg told the HC: “We lost two strong engineers in month one because they thought ‘shadowing’ meant passive observation, not active documentation.”
Not learning the codebase, but learning who controls access to it. AstraZeneca’s engineering systems are siloed by therapeutic area (Oncology, CVRM, Respiratory) and region. Your access to repositories, CI/CD pipelines, and production logs is gated by data governance boards, not your manager.
In my debrief with the AZ Digital HC last June, one lead noted: “The engineer who passed probation fastest didn’t commit first — they mapped the approval chain for deployment sign-offs in week two.” That engineer identified three clinical compliance reviewers and scheduled weekly touchpoints before writing a single line of code.
Your first week is 80% administrative: badge activation, VPN setup, GxP e-learning (28 modules, 4 hours total), and mandatory data privacy certification. Week two introduces platform orientation — AWS/Azure hybrid setup, internal tooling (e.g., AZ DevOps Portal), and the “Change Control” process for code deployment.
Not speed, but auditability. Every commit must be linked to a validated user story in Jira, which itself must reference a risk-assessed requirement in the Validation Master Plan (VMP). This isn’t optional; it’s enforced in biweekly audits.
How should I prioritize my first 30 days as an SDE at AstraZeneca?
Focus on access, not output. Your primary goal in month one is securing system permissions and understanding change workflows. Engineers who ask for access on day one and follow up daily get provisioned in 8–12 days. Those who wait for “onboarding to finish” average 23 days — a gap that delays their first PR by three weeks.
In a Q3 2025 HC debate, a lead in Cambridge argued against extending an offer to convert a contractor because “they didn’t initiate access requests independently — waited for the manager to push IT.” The committee sided with the lead. Autonomy in access procurement is a proxy for initiative in pharma engineering.
Map your deployment chain. Identify: (1) the DevOps liaison, (2) the QA validation lead, (3) the GxP compliance officer for your module. Book 30-minute intros. Not to impress — to understand their checklist.
Good: An SDE in Oncology Digital automated a test report but waited for QA sign-off before merging. They documented the change control impact, reducing audit rework.
Bad: An SDE in Data Platforms deployed a minor logging fix directly to staging. It triggered a deviation report. The fix was correct, but the process violation required a root cause analysis (RCA) that took two weeks to close.
Not code quality, but change hygiene. Your first PR should be small, well-documented, and pre-reviewed by compliance. Signal respect for process — not disdain for slowness.
What technical systems will I work with during onboarding?
You’ll operate in a hybrid cloud environment: AWS for analytics workloads, Azure for clinical systems, and on-prem VMs for legacy GxP applications. The standard stack is Java 17 + Spring Boot, Python 3.11 for data pipelines, React 18 for frontends, and Kubernetes via Red Hat OpenShift.
In a debrief with the AZ Data & AI HC, one hiring manager rejected a candidate’s probation review because “they used Helm charts without tagging them for audit retention.” All infrastructure-as-code must include metadata fields for version traceability and owner accountability.
You’ll use AstraZeneca’s internal DevOps portal — a custom layer over Jenkins, Bitbucket, and SonarQube. Pipelines require dual approval: one from engineering, one from QA. Static analysis gates are strict: SonarQube blocks merges for any critical CVE or coverage drop below 78%.
Your IDE isn’t your choice. You’ll use IntelliJ or VS Code, but only with AZ-approved plugins. Local development requires encrypted containers. Code can’t leave the network — not even to GitHub Copilot. The company uses a firewalled AI coding assistant trained on internal repos, but access is tiered. L5 engineers get read-only; L7+ get generation rights.
Not innovation, but compliance embedding. One SDE in Gaithersburg proposed using Terraform for a new microservice. The architecture board approved it — but only after a 14-day security review and a signed exception form.
You’ll also interface with Veeva, Medidata Rave, and SAP PHIs — all regulated systems. Any integration must pass a data classification review. Touching patient data? That’s “Tier 1” — requires encryption at rest, audit logs, and annual re-certification.
How do performance expectations differ from tech companies?
Output is measured in audit readiness, not velocity. At Google or Meta, your first PR might be expected in 5 days. At AstraZeneca, it’s 21 — but it must be 100% compliant.
In a 2025 HC discussion, a senior director stated: “We’d rather an engineer ship nothing in 60 days than ship fast and trigger a 483 observation.” The reference was to an FDA inspection report from a competitor whose CI/CD pipeline lacked code pedigree tracking.
Your sprint goals include non-functional deliverables: test validation summaries, change control documentation, and risk assessment updates. These aren’t “extra” — they’re graded. One SDE was rated “Below Expectations” in their 90-day review because their Jira tickets lacked traceability to the System Impact Assessment (SIA). Their code worked. It didn’t matter.
Not features built, but deviations avoided. A high performer in Respiratory Digital didn’t deploy the most code — they had zero audit findings across three releases. That became their promotion narrative.
You’ll have a 90-day probation review, not a “ramp-up” check-in. The panel includes your manager, a tech lead, a QA representative, and a compliance officer. They assess: (1) adherence to SDLC policy, (2) documentation quality, (3) stakeholder engagement, and (4) technical output. The first three carry 70% weight.
How can I signal impact before day 90?
Identify a “compliance debt” item and close it. Not a bug fix — a process gap. Examples: incomplete runbooks, missing rollback procedures, or unvalidated monitoring alerts.
In Q4 2025, an L5 SDE in Cambridge reviewed five recent change controls and found that 60% lacked proper rollback validation. They built a checklist, got it approved by QA, and applied it retroactively. That single act was cited in their probation approval as “proactive risk mitigation.”
Collaborate with QA early. Invite them to design reviews. Not for feedback — for co-ownership. One SDE in Data Engineering had QA sign off on their test plan before coding began. That reduced validation cycle time from 10 days to 3.
Not solving the hardest problem, but reducing the organization’s risk surface. Another SDE automated a manual GxP log review process. The script saved 12 hours/month. Small. But it eliminated a human error vector — a win in audit terms.
Document everything. Use Confluence, not Slack. In a debrief, a tech lead said: “If it’s not in Confluence, it didn’t happen.” That’s not culture — it’s regulatory necessity. Audit trails require written records.
Your 90-day summary should include: (1) number of change controls completed, (2) audit findings avoided, (3) access levels obtained, and (4) compliance training completed. Technical metrics (PRs merged, bugs fixed) are secondary.
Preparation Checklist
- Complete all GxP and data privacy e-learning before day one — 28 modules, ~4 hours
- Request system access on day one via the AZ IT portal — follow up daily until granted
- Map your deployment approval chain: DevOps, QA, Compliance — schedule intro meetings
- Review the Validation Master Plan (VMP) for your project — understand traceability requirements
- Work through a structured preparation system (the PM Interview Playbook covers regulated tech environments with real debrief examples)
- Set up encrypted development containers — test connectivity to internal repos before coding
- Identify one compliance debt item to resolve by week 6 — audit logs, runbooks, rollback plans
Mistakes to Avoid
BAD: Assuming “agile” means fast iteration. One SDE in Oncology pushed three PRs in week two. All were rolled back. Why? No change control ticket was opened. The code was technically sound. It violated GxP process.
GOOD: Opening a change control ticket before writing code — even for a config update.
BAD: Using personal tools like GitHub Copilot or未经批准的 extensions. One engineer was temporarily suspended for using a public LLM to generate test data — it contained synthetic but plausible PHI.
GOOD: Using only AZ-approved tooling, including the internal AI coding assistant, and validating all test data with the data governance team.
BAD: Prioritizing feature velocity over documentation. An SDE in Data Platforms built a pipeline that worked but had no runbook. During an audit, the system was flagged as “unvalidated.”
GOOD: Writing runbooks and test validation summaries in parallel with development — treating them as code.
FAQ
Is AstraZeneca’s engineering culture really slower than big tech?
It’s not slower — it’s sequenced. Code review takes 5–7 days because QA and compliance are in the loop. At Meta, you might deploy in hours. At AZ, you prove every change is auditable. The delay isn’t inefficiency — it’s risk control. Your job is to work within the sequence, not fight it.
Do I need pharma experience to succeed in the first 90 days?
Not experience — but pattern recognition. You don’t need to know GxP, but you must learn to spot compliance signals: traceability, validation, audit trails. Engineers who treat every task as potentially auditable adapt fastest. The ones who dismiss “process” don’t last past probation.
What happens if I fail the 90-day probation?
You’re reassigned or exited. AZ doesn’t extend probation beyond 90 days for SDEs. The review is binary: approve or terminate. The most common reason for failure isn’t technical weakness — it’s underestimating documentation and compliance. One engineer was let go after deploying code that passed testing but lacked a risk assessment link in Jira. The fix was trivial. The process break wasn’t.
Ready to build a real interview prep system?
Get the full PM Interview Prep System →
The book is also available on Amazon Kindle.