Navan is looking for a Security Governance & Awareness Analyst to join our team and execute the day-to-day operations of our security awareness programs and policy management lifecycle. You will own the operational delivery of phishing simulations, targeted training campaigns, and policy review cycles—focusing on defending against modern threats like AI-generated social engineering while maintaining our regulatory and compliance posture.

Sitting at the intersection of Security Culture and Compliance, you will be responsible for operational execution while collaborating closely with your manager on program strategy. This is a role for someone with strong program management skills, excellent communication abilities, and an eye for detail—with increasing emphasis on leveraging AI tools to amplify impact and efficiency.

What You’ll Do:

Security Awareness Operations: Lead the day-to-day execution of phishing simulations and mandatory training, focusing on modern threats like AI-generated social engineering, deepfake audio/video, and sophisticated LLM-based phishing.

Targeted Training Programs: Develop and deliver specialized training for high-risk employee groups (e.g., Helpdesk, Sales, Call Centers) to defend against account takeover, identity verification bypass, and customer data targeting.

Policy Lifecycle Management: Own the operational cycle for all security policies, standards, and procedures—ensuring documents are reviewed, updated, and published on schedule with proper version control and stakeholder feedback.

Compliance Documentation: Maintain the centralized policy repository and ensure policies align with SOC 2, ISO 27001, PCI-DSS, and evolving AI governance standards for audit readiness.

Security Communications: Design and distribute internal security alerts, manage the security and compliance newsletter, and create engaging content about emerging threats for diverse stakeholders.

Metrics & Reporting: Compile and analyze data on simulation success rates, training completion, and policy compliance for executive-level reporting and program optimization.

Cross-Functional Collaboration: Partner with Legal, HR, and Engineering to collect policy feedback and coordinate awareness initiatives across the organization.

What We’re Looking For:

Experience: 2–4 years in Security Awareness, Corporate Training, or GRC, with a track record of executing awareness programs and managing policy lifecycles.

Communication Excellence: Strong written and verbal skills to create clear policies, design engaging training content, and effectively communicate with stakeholders at all levels.

Modern Threat Knowledge: Strong understanding of contemporary social engineering tactics, including deepfakes, AI-driven phishing, vishing, and identity verification attacks.

Platform Experience: Hands-on experience with Security Awareness platforms (e.g., Adaptive, KnowBe4, Proofpoint) and Policy Management software for training delivery and document control.

Program Management: Proven ability to manage multiple concurrent initiatives in a fast-paced environment, from phishing campaigns to policy review cycles, with high attention to detail.

AI Tool Awareness: Growing familiarity with AI tools (Claude, Gemini, etc.) to assist with content creation, communications drafting, and operational efficiency.

Regulatory Frameworks: Working knowledge of SOC 2, ISO 27001, PCI-DSS, and NIST CSF requirements as they relate to security awareness and policy documentation.

Preferred: Relevant industry certifications (e.g., CompTIA Security+, SANS SSAP) demonstrating commitment to the security awareness field.

Navan is looking for a Security Governance & Risk Engineer to join our team as we evolve from manual processes to automated, scalable security systems. You will own the operational execution of our governance automation infrastructure, compliance monitoring, and security program platforms—using AI and automation as your primary force multipliers.

Sitting at the intersection of Security Engineering, Compliance, and Security Culture, you will execute day-to-day operations while collaborating closely with your manager on technical strategy. This is a unique hybrid role for someone who possesses both technical engineering capabilities and strong program management skills, with a heavy emphasis on leveraging AI tools (like Claude, Gemini, and GitHub Copilot) to amplify impact.

What You’ll Do

• GRC Automation: Build and maintain automated workflows for risk assessments and audit evidence collection using modern APIs and AI coding assistants.
• Compliance-as-Code: Implement automated integrations (e.g., Tines, AWS Lambda) to monitor technical controls against frameworks like SOC 2, ISO 27001, and NIST CSF.
• Data Visualization: Develop and maintain real-time dashboards in tools like ThoughtSpot to provide visibility into security posture and compliance metrics.
• Program Automation & Integration: Build integrations between GRC platforms, awareness tools, and business systems—automating policy acknowledgments, training compliance tracking, evidence collection, and custom workflows where platform capabilities fall short.
• Technical Control Implementation: Translate security policies into technical control standards and automated validation scripts, ensuring policy requirements are continuously verified.
• Cross-Functional Collaboration: Partner with Legal, HR, and Engineering to collect technical requirements, build integrations, and ensure automated controls align with business needs.

What We’re Looking For

• Experience: 4–6 years in GRC Engineering, Security Automation, or IT Compliance, with a track record of building automated solutions.
• Technical Proficiency: Comfortable writing and debugging code (Python, PowerShell, or JavaScript) and working with REST APIs/JSON structures.
• AI Tool Fluency: Active experience using AI tools (Gemini, GitHub Copilot, Claude, etc.) to accelerate coding, writing, and problem-solving.
• Cloud & Infra Knowledge: Hands-on experience with cloud environments (AWS or GCP) and serverless architectures (Lambda, Cloud Functions).
• GRC Platforms: Familiarity with tools such as Auditboard, Vanta, Drata, or Archer, particularly regarding API integrations.
• Framework Expertise: Working knowledge of SOC 2, ISO 27001, and NIST CSF, with the ability to translate requirements into technical controls.
• Operational Mindset: Proven ability to manage multiple concurrent engineering initiatives, from building compliance automations to developing policy management systems, in a fast-paced environment.
• Communication: Strong written and verbal skills to document technical implementations, collaborate with stakeholders, and translate business requirements into technical solutions.

The Senior Product Security Engineer will be responsible for securing Navan products, by identifying risks early in the SDLC and developing application security tooling & processes to promote a ‘shift left’ security culture. You will be responsible for developing and scaling the product security function by integrating security in the application development process, conducting security-related research and assessments, developing custom automated security and anti-fraud solutions, and providing security analysis/design/training to the organization.

Reporting to the senior Director of Product Security and Trust, you will contribute significantly to building and scaling an application security program. This position requires both advanced technical skills, strong communication skills, and the ability to influence people. You will be responsible for ensuring the continuous security of Navan customer-facing products and internal tools. You will focus on proactively discovering security vulnerabilities, driving and advising risk remediation based on research, and developing strong partnerships with engineering and product teams to accelerate the release of the software with security by design.

What You’ll Do:

• Act as the tech lead for high-priority product security initiatives, and ensure timely delivery of impactful initiatives.
• Be a key advisor to the overall strategy and roadmap of the Product Security Program.
• Participate in expanding/maturing the Navan S-SDLC program.
• Review product designs for security defects, perform threat modeling and recommend remediations. 
• Work with engineers to identify the tradeoffs of different solutions and recommend the ideal design to meet security requirements.
• Design and develop security tools and processes to be leveraged by development teams.
• Work closely with engineering to sustain processes and/or convert manual integrations to automated pipeline activities.
• Assist in developing custom Security as Code solutions.
• Provide training, guidance, and assistance to development teams early in the SSDLC.
• Cultivate security ownership in the product teams.
• Bring visibility to product/application vulnerabilities in a consistent manner to enable appropriate prioritization and remediation.
• Help build the Red Team and PSIRT functions.

What We’re Looking For:

• Proven experience performing threat modeling and architecture reviews for complex applications.
• Proven experience delivering critical org-wide product security initiatives.
• Proven experience performing application, cloud and mobile penetration testing in high risk environments like financial or healthcare companies.
• 6-8 years of Technical Product Security related experience around SSDLC tooling, automation, remediation advisory, security testing, threat modeling/attack surface analysis.
• Ability to execute in multifaceted and highly technical organizations.
• Ability to provide pragmatic security advice for web applications, mobile applications, and cloud software.
• Experience working in Agile development with experience in technologies such as:
• Cloud environment (AWS, or similar)
• Application security testing tools (SAST, DAST, IAST, SCA, or similar.)
• Infrastructure as code (Terraform, or similar)
• Java Spring Framework (3+ years),  Hibernate or similar ORM technologies, JavaScript/CSS, and Angular
• Containers (Docker, Kubernetes, or similar)
• Continuous integration (Jenkins, Github Actions or similar)
• Integration of Security testing tools into CI pipelines
• Defect tracking (Jira,or similar.)
• Source code management (GitHub, or similar.)
• In-depth knowledge of common application & network protocols, cryptographic primitives, authentication & authorization protocols, and common security threats, such as attack techniques, evasive techniques, and preventative & defensive methods.
• Deep knowledge of cloud operational models and secure SaaS architecture in a containerized microservices world.

Good to have:

• Published contributions to the security community.
• Deep understanding of browser security and modern JavaScript frameworks.
• Knowledge of compliance requirements for industry-standard certifications like PCI DSS, SOC2, HIPAA, and FedRAMP.
• Experience working in small teams and delivering outsized impact.

The Senior Product Security Engineer will be responsible for securing Navan products, by identifying risks early in the SDLC and developing application security tooling & processes to promote a ‘shift left’ security culture. You will be responsible for developing and scaling the product security function by integrating security in the application development process, conducting security-related research and assessments, developing custom automated security and anti-fraud solutions, and providing security analysis/design/training to the organization.

Reporting to the senior Director of Product Security and Trust, you will contribute significantly to building and scaling an application security program. This position requires both advanced technical skills, strong communication skills, and the ability to influence people. You will be responsible for ensuring the continuous security of Navan customer-facing products and internal tools. You will focus on proactively discovering security vulnerabilities, driving and advising risk remediation based on research, and developing strong partnerships with engineering and product teams to accelerate the release of the software with security by design.

What You’ll Do:

• Act as the tech lead for high-priority product security initiatives, and ensure timely delivery of impactful initiatives.
• Be a key advisor to the overall strategy and roadmap of the Product Security Program.
• Participate in expanding/maturing the Navan S-SDLC program.
• Review product designs for security defects, perform threat modeling and recommend remediations. 
• Work with engineers to identify the tradeoffs of different solutions and recommend the ideal design to meet security requirements.
• Design and develop security tools and processes to be leveraged by development teams.
• Work closely with engineering to sustain processes and/or convert manual integrations to automated pipeline activities.
• Assist in developing custom Security as Code solutions.
• Provide training, guidance, and assistance to development teams early in the SSDLC.
• Cultivate security ownership in the product teams.
• Bring visibility to product/application vulnerabilities in a consistent manner to enable appropriate prioritization and remediation.
• Help build the Red Team and PSIRT functions.

What We’re Looking For:

• Proven experience performing threat modeling and architecture reviews for complex applications.
• Proven experience delivering critical org-wide product security initiatives.
• Proven experience performing application, cloud and mobile penetration testing in high risk environments like financial or healthcare companies.
• 6-8 years of Technical Product Security related experience around SSDLC tooling, automation, remediation advisory, security testing, threat modeling/attack surface analysis.
• Ability to execute in multifaceted and highly technical organizations.
• Ability to provide pragmatic security advice for web applications, mobile applications, and cloud software.
• Experience working in Agile development with experience in technologies such as:
• Cloud environment (AWS, or similar)
• Application security testing tools (SAST, DAST, IAST, SCA, or similar.)
• Infrastructure as code (Terraform, or similar)
• Java Spring Framework (3+ years),  Hibernate or similar ORM technologies, JavaScript/CSS, and Angular
• Containers (Docker, Kubernetes, or similar)
• Continuous integration (Jenkins, Github Actions or similar)
• Integration of Security testing tools into CI pipelines
• Defect tracking (Jira,or similar.)
• Source code management (GitHub, or similar.)
• In-depth knowledge of common application & network protocols, cryptographic primitives, authentication & authorization protocols, and common security threats, such as attack techniques, evasive techniques, and preventative & defensive methods.
• Deep knowledge of cloud operational models and secure SaaS architecture in a containerized microservices world.

Good to have:

• Published contributions to the security community.
• Deep understanding of browser security and modern JavaScript frameworks.
• Knowledge of compliance requirements for industry-standard certifications like PCI DSS, SOC2, HIPAA, and FedRAMP.
• Experience working in small teams and delivering outsized impact.

The Senior Product Security Engineer will be responsible for securing Navan products, by identifying risks early in the SDLC and developing application security tooling & processes to promote a ‘shift left’ security culture. You will be responsible for developing and scaling the product security function by integrating security in the application development process, conducting security-related research and assessments, developing custom automated security and anti-fraud solutions, and providing security analysis/design/training to the organization.

Reporting to the senior Director of Product Security and Trust, you will contribute significantly to building and scaling an application security program. This position requires both advanced technical skills, strong communication skills, and the ability to influence people. You will be responsible for ensuring the continuous security of Navan customer-facing products and internal tools. You will focus on proactively discovering security vulnerabilities, driving and advising risk remediation based on research, and developing strong partnerships with engineering and product teams to accelerate the release of the software with security by design.

What You’ll Do:

• Act as the tech lead for high-priority product security initiatives, and ensure timely delivery of impactful initiatives.
• Be a key advisor to the overall strategy and roadmap of the Product Security Program.
• Participate in expanding/maturing the Navan S-SDLC program.
• Review product designs for security defects, perform threat modeling and recommend remediations. 
• Work with engineers to identify the tradeoffs of different solutions and recommend the ideal design to meet security requirements.
• Design and develop security tools and processes to be leveraged by development teams.
• Work closely with engineering to sustain processes and/or convert manual integrations to automated pipeline activities.
• Assist in developing custom Security as Code solutions.
• Provide training, guidance, and assistance to development teams early in the SSDLC.
• Cultivate security ownership in the product teams.
• Bring visibility to product/application vulnerabilities in a consistent manner to enable appropriate prioritization and remediation.
• Help build the Red Team and PSIRT functions.

What We’re Looking For:

• Proven experience performing threat modeling and architecture reviews for complex applications.
• Proven experience delivering critical org-wide product security initiatives.
• Proven experience performing application, cloud and mobile penetration testing in high risk environments like financial or healthcare companies.
• 6-8 years of Technical Product Security related experience around SSDLC tooling, automation, remediation advisory, security testing, threat modeling/attack surface analysis.
• Ability to execute in multifaceted and highly technical organizations.
• Ability to provide pragmatic security advice for web applications, mobile applications, and cloud software.
• Experience working in Agile development with experience in technologies such as:
• Cloud environment (AWS, or similar)
• Application security testing tools (SAST, DAST, IAST, SCA, or similar.)
• Infrastructure as code (Terraform, or similar)
• Java Spring Framework (3+ years),  Hibernate or similar ORM technologies, JavaScript/CSS, and Angular
• Containers (Docker, Kubernetes, or similar)
• Continuous integration (Jenkins, Github Actions or similar)
• Integration of Security testing tools into CI pipelines
• Defect tracking (Jira,or similar.)
• Source code management (GitHub, or similar.)
• In-depth knowledge of common application & network protocols, cryptographic primitives, authentication & authorization protocols, and common security threats, such as attack techniques, evasive techniques, and preventative & defensive methods.
• Deep knowledge of cloud operational models and secure SaaS architecture in a containerized microservices world.

Good to have:

• Published contributions to the security community.
• Deep understanding of browser security and modern JavaScript frameworks.
• Knowledge of compliance requirements for industry-standard certifications like PCI DSS, SOC2, HIPAA, and FedRAMP.
• Experience working in small teams and delivering outsized impact.

At Navan, you will build and evolve Detection & Response (D&R) capabilities across our infrastructure, products, and research environments. This role focuses on high-signal detection and reliable operational response to ensure the security of our global travel and expense platform.

What You’ll Do:

• Detection Engineering: Build and manage the lifecycle of detection rules, focusing on measurement/quality loops (coverage, precision, latency) and safe rollout patterns.
• Automated Response: Build workflows that reduce toil (triage, enrichment, containment) using SIEM tools (e.g., Splunk, Sentinel), EDR/XDR, and automation to improve time-to-contain.
• Incident Management: Actively participate in the Incident Response lifecycle. You will detect, analyze, and remediate security threats and participate in a scheduled on-call rotation.
• Secure Architecture: Partner with infrastructure owners to ensure new systems ship with the right telemetry, encryption, authentication, and response playbooks from day one.
• Visibility & Governance: Drive visibility across endpoints, identity, SaaS, and cloud; identify gaps in IAM and vulnerability management and advocate for direct fixes.
• Emergent Threats: Evaluate and respond to frontier security concerns, such as detection strategies for automated agents operating across infrastructure at scale. 

What We’re Looking For:

• Technical Foundation: Deep knowledge of network, cloud, and endpoint security, with hands-on experience in firewalls and vulnerability management.
• Operational Experience: Direct experience in Incident Response (IR). You are comfortable performing log analysis, threat hunting, and forensics while applying the MITRE ATT&CK framework.
• Threat Modeling: Ability to evaluate new features, identify "what could go wrong," and turn those risks into concrete telemetry and response requirements.
• Multi-Cloud Proficiency: Experience across major platforms (Azure, AWS, GCP, OCI) and the ability to design cloud-agnostic detection approaches.
• Automation Mindset: Passion for replacing repetitive work with automation and scripting; you enjoy using AI/agent tooling to accelerate investigations.