Senior Security Engineer

Nova Intelligence is building the most powerful AI platform for SAP teams. SAP is the heart of the enterprise: almost every critical business process at the world's largest companies - finance, supply chain, manufacturing, sales - runs on SAP. Our customers use Nova to 3x the productivity of their SAP teams: modernizing legacy code, redesigning business processes, resolving production issues, and more.

Nova Intelligence was founded by AI researchers, repeat entrepreneurs, and the co-inventor of SAP HANA, and has raised $40M from SAP.io, Accel, Conviction, and Chemistry.

Check out the Launch Video


About this role

We're hiring Senior Security Engineers to design, harden, and continuously test the security of the Nova platform. Our mission is to build the most powerful AI platform for SAP - and that includes being the most secure. Nova operates inside the systems that run global business, with broad access and powerful capabilities; the security work is technically deep and central to the product.

What you'll do

Own platform security architecture. You'll harden the security model of the platform across cloud and (in the future) on-prem deployments - isolation between customers and environments, identity and access policy, secrets and key management, and network controls. You'll work on real problems like preventing cross-service privilege paths, evolving customer-side audit access, maintaining tight scoping of admin credentials, and ensuring the agent's execution sandboxes can run untrusted code safely.

Lead our internal red team. You'll lead and extend our red team work - probing access controls and privilege boundaries, testing agent action boundaries (prompt injection, tool-use abuse, sandbox escape), validating tenant isolation under realistic attack patterns, and stress-testing our auth flows under adversarial pressure.

Solve hard auth and identity problems in SAP. SAP's identity model is idiosyncratic and the customer landscape is complex: federated SSO via IAS or other IdPs, SAML and OAuth flows across multiple systems, RFC connections, technical users, and a long tail of legacy auth patterns. You'll own how identity propagates from the customer's IdP through Nova into their SAP systems.

Raise our internal security baseline. SSO, deployment pipelines, secrets in CI/CD, code review controls, vendor onboarding, internal access. You'll set the standards, drive the implementation, and lead Nova's adherence to the compliance frameworks customers expect (SOC 2, ISO 27001, GDPR, CCPA). We treat these as the floor, not the ceiling.

Partner with customer security teams. Our enterprise customers run some of the most sophisticated security organizations in the world. You'll be the technical voice in the room with their CISOs, security architects, and DPOs - translating their requirements into platform changes and Nova's design into language their teams can defend internally.

Push the frontier on offensive and defensive AI for SAP. AI agents are uniquely powerful for security work in SAP - finding vulnerabilities in custom ABAP, auditing access patterns, identifying privilege escalation paths in customer landscapes. We use Nova to help customers find weaknesses in their own systems, and we use Nova to study Nova. You'll lead this research and shape it into product.

Represent Nova on security in the SAP community. Write, speak, publish. Security at the AI-meets-SAP intersection is uncharted territory, and there's real work to do in defining the field.

What we're looking for

• You have deep, hands-on security experience - application security, cloud security (AWS in particular), identity and access management, and the architectural intuition to spot a privilege escalation path two systems away.
• You think adversarially by default, whether your background is offensive (red team, pentest, vulnerability research) or defensive engineering at a place that took it seriously.
• You have informed opinions on AI security: prompt injection, agent action boundaries, tool-use vulnerabilities, sandbox escape, and what changes when agents have persistent infrastructure access.
• You're fluent in the compliance frameworks customers care about (SOC 2, ISO 27001, GDPR, CCPA) - not as the goal, but as a baseline you can drive efficiently before building well past it.
• You communicate clearly with both engineers and executives. Half this job is making security real with platform engineers; the other half is being credible to a CISO who needs to defend our platform internally.
• You have a track record of public technical output - writing, talks, CVEs, open-source contributions. (Strong plus, not required.)

Background we'd love to see (none required)

• 5+ years of security engineering, security architecture, or offensive security work
• Hands-on AWS security depth (IAM, KMS, networking, multi-account architectures)
• Designing or hardening multi-tenant SaaS platforms in enterprise contexts
• Leading SOC 2 Type II, ISO 27001, or comparable certification efforts
• Familiarity with SAP, ABAP, or enterprise application security generally
• Working directly with enterprise customer security teams (CISOs, DPOs, security architects)

Why join

You'll work alongside top engineers, AI researchers, and SAP experts on security problems few teams get to touch. What you build protects systems that run inside the world's largest enterprises - and shapes what AI-native security looks like for mission-critical environments as the field matures.

We use Nova to build Nova, and you'll use Nova to attack Nova. You'll be a power user of your own tools, obsessed with finding what breaks before anyone else does.

We're a small, highly talent-dense team. We offer competitive compensation, meaningful equity, and full health, dental, and vision coverage.

If you read this and recognize the role you want, apply - even if you don't match every line.