Sr. Security Engineer

We help the world run better
At SAP, we keep it simple: you bring your best to us, and we’ll bring out the best in you. We’re builders touching over 20 industries and 80% of global commerce, and we need your unique talents to help shape what’s next. The work is challenging – but it matters. You’ll find a place where you can be yourself, prioritize your wellbeing, and truly belong.

What’s in it for you? Constant learning, skill growth, great benefits, and a team that wants you to grow and succeed.

COMPANY DESCRIPTION

SAP is the global market leader for business software and related services, and SAP National Security Services Inc. ® (SAP NS2®) is an independent U.S. subsidiary, offering SAP solutions with specialized levels of security and support to meet the requirements of U.S. national security and critical infrastructure customers.

Must be a U.S. citizen; this position requires access to customer data.

SAP NS2 does not offer Visa sponsor ships for this role.
All internals must have manager’s approval to transfer.

We are seeking a Senior Security Engineer to join our Platform Security Engineering team. This role focuses on the engineering, automation, and operational excellence of the security tooling stack that protects our infrastructure. The right candidate is a builder; someone who has come up through Dev Ops, infrastructure, or platform engineering and brings that operational discipline to the security domain.

This is not a policy or governance role, and it is not a traditional ISSE position. You will spend your days writing code, building pipelines, automating deployments, remediating vulnerabilities on infrastructure we own, and tuning the platforms that keep our environment secure. You will partner closely with platform, Dev Ops, and host‑owning teams, but the engineering work is yours to lead.

• Platform ownership: Operate, tune, and integrate the organization’s security tooling stack, including but not limited to Tenable Nessus, Crowd Strike Falcon, Trend Micro Deep Security, and Threat Connect, ensuring each platform is healthy, current, and delivering value.
• Agent and sensor coverage validation: Validate that endpoint agents and sensors are deployed, communicating, and properly configured across applicable infrastructure. Build coverage reporting and identify gaps without taking on installation responsibility for hosts owned by other teams.
• Tooling patching and lifecycle management: Own the patching, upgrade, and lifecycle management of the security tools and platforms we operate. Maintain version currency, plan upgrade windows, and ensure scanners, managers, and consoles stay within supported release windows.
• API integration and automation: Build custom integrations between security platforms and the broader engineering ecosystem to include ticketing, reporting, alert routing, CI/CD gating, and SOAR‑style workflows.

• Remediation on managed infrastructure: Drive vulnerability remediation across hosts and infrastructure that the team owns or operates. Prioritize using risk context (exploitability, exposure, asset sensitivity), implement fixes, and track findings through to closure.
• Scan operations: Operate and tune vulnerability scanners (Tenable Nessus and equivalent) so that scan coverage is accurate, credentialed scans succeed, and other teams have reliable vulnerability data for the hosts they own.
• Reporting and SLA enforcement: Produce vulnerability reporting that surfaces trends, exception requests, and SLA performance. Partner with host‑owning teams when findings live outside our managed scope.
• Preventative controls: Where possible, shift remediation left, to include hardened base images, IaC scanning, golden AMIs, and image bake pipelines that prevent vulnerabilities from reaching production rather than chasing them after the fact.

• IaC for security infrastructure: Design and maintain Terraform modules that provision, configure, and update security tooling infrastructure across cloud environments. Apply the same code‑review, testing, and promotion…