What are the responsibilities and job description for the CNAPP/ Cybersecurity Engineer position at American Express?
Job Description
At American Express, our mission is to deliver the world’s best customer experience every day. At the heart of this mission is our Information Security organization, enabling exceptional experiences built on a foundation of trust, service, and security. We leverage advanced technologies and data-driven insights to stay ahead of an evolving threat landscape. We foster a culture of passion, curiosity, and courage—empowering you to innovate, grow, and help shape the future of a Fortune 100 company.
Trust. Service. Security.
The Cloud and SaaS Security mission is to enable secure, rapid cloud and SaaS transformation that accelerates business growth and innovation. We provide trusted, real-time visibility and high-quality security intelligence, empowering leaders to make informed, risk-aware decisions at speed. By positioning security as a strategic enabler, we help the enterprise modernize with confidence, resilience, and agility.
The Engineer will be part of mainstream to establish comprehensive, end-to-end visibility across all cloud and SaaS environments by integrating with core systems of record into CNAPP, delivering a unified and consistent telemetry layer across platforms. Our focus is to provide accurate, prioritized, and actionable insights that reduce noise and enable effective decision-making. Democratize access to security intelligence, ensuring teams have the right context to act quickly and independently, while maintaining alignment with enterprise risk and governance standards. By embedding security leveraging Policy-as-a-Code capability seamlessly into cloud and SaaS adoption journeys, we enable speed without compromise driving scalable, secure, and efficient operations across the organization
How will you make an impact in this role?
As part of this transformation, we are building a next-generation multi-cloud security platform and are seeking a CNAPP-focused engineer to drive visibility, risk reduction, and secure cloud adoption at scale. This role will play a critical part in shaping the enterprise security posture across AWS, Azure, GCP, and private cloud environments (e.g., OpenShift).
In this role, you will operate within a DevSecOps model, partnering closely with Technology Risk and Information Security (TRIS), Cloud Security Governance, Cloud Security Operations, and engineering teams across the organization. You will help identify, design, and deliver scalable security capabilities that are deeply integrated into cloud platforms and developer workflows.
You will drive a strong automation-first mindset, enabling zero-touch, idempotent, and scalable solutions through everything-as-code across infrastructure, security controls, and platform services. Success in this role requires the ability to operate across multiple initiatives, prioritize effectively, and translate evolving security and cloud technologies into practical, enterprise-ready solutions.
We are looking for a highly motivated, forward-thinking engineer who can balance technical depth with execution discipline, contribute to the maturation of end-to-end security capabilities, and ensure a seamless and secure experience for our engineering community.
Responsibilities
At American Express, our culture is built on a 175-year history of innovation, shared values and Leadership Behaviors, and an unwavering commitment to back our customers, communities, and colleagues. From delivering differentiated products to providing world-class customer service, we operate with a strong risk mindset, ensuring we continue to uphold our brand promise of trust, security, and service.
As part of Team Amex, you’ll experience our powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills, develop as a leader, and grow your career. Here, your voice and ideas matter, your work makes an impact, and together, you will help us define the future of American Express.
At American Express, our mission is to deliver the world’s best customer experience every day. At the heart of this mission is our Information Security organization, enabling exceptional experiences built on a foundation of trust, service, and security. We leverage advanced technologies and data-driven insights to stay ahead of an evolving threat landscape. We foster a culture of passion, curiosity, and courage—empowering you to innovate, grow, and help shape the future of a Fortune 100 company.
Trust. Service. Security.
The Cloud and SaaS Security mission is to enable secure, rapid cloud and SaaS transformation that accelerates business growth and innovation. We provide trusted, real-time visibility and high-quality security intelligence, empowering leaders to make informed, risk-aware decisions at speed. By positioning security as a strategic enabler, we help the enterprise modernize with confidence, resilience, and agility.
The Engineer will be part of mainstream to establish comprehensive, end-to-end visibility across all cloud and SaaS environments by integrating with core systems of record into CNAPP, delivering a unified and consistent telemetry layer across platforms. Our focus is to provide accurate, prioritized, and actionable insights that reduce noise and enable effective decision-making. Democratize access to security intelligence, ensuring teams have the right context to act quickly and independently, while maintaining alignment with enterprise risk and governance standards. By embedding security leveraging Policy-as-a-Code capability seamlessly into cloud and SaaS adoption journeys, we enable speed without compromise driving scalable, secure, and efficient operations across the organization
How will you make an impact in this role?
As part of this transformation, we are building a next-generation multi-cloud security platform and are seeking a CNAPP-focused engineer to drive visibility, risk reduction, and secure cloud adoption at scale. This role will play a critical part in shaping the enterprise security posture across AWS, Azure, GCP, and private cloud environments (e.g., OpenShift).
In this role, you will operate within a DevSecOps model, partnering closely with Technology Risk and Information Security (TRIS), Cloud Security Governance, Cloud Security Operations, and engineering teams across the organization. You will help identify, design, and deliver scalable security capabilities that are deeply integrated into cloud platforms and developer workflows.
You will drive a strong automation-first mindset, enabling zero-touch, idempotent, and scalable solutions through everything-as-code across infrastructure, security controls, and platform services. Success in this role requires the ability to operate across multiple initiatives, prioritize effectively, and translate evolving security and cloud technologies into practical, enterprise-ready solutions.
We are looking for a highly motivated, forward-thinking engineer who can balance technical depth with execution discipline, contribute to the maturation of end-to-end security capabilities, and ensure a seamless and secure experience for our engineering community.
Responsibilities
- Manage CNAPP (Cortex/Prisma/Wiz) Platform configurations, and challenges on a daily basis, triaging challenge’s identity risks, and alerts, and driving remediation with engineering teams.
- Investigate and correlate security signals across multi-cloud environments (AWS, GCP, Azure, OpenShift) to identify high-risk exposures and prioritize actions based on business impact and exploitability.
- Work closely with PaC (policy-as-code) and guardrails (OPA, Sentinel, native cloud policies) teams to enforce secure-by-default configurations across cloud platforms for the CNAPP findings.
- Contribute to proof-of-concept efforts by evaluating new CNAPP features, cloud security tools, and container security capabilities, and recommending scalable adoption strategies.
- Document solutions, patterns, and learnings through runbooks, architecture decision records (ADRs), and knowledge-sharing sessions to enable broader team adoption.
- Act as a go-to technical resource, supporting application teams in designing secure cloud-native architectures and troubleshooting security-related issues.
- Work closely with Cloud Engineering and DevOps teams to embed security controls into CI/CD pipelines, ensuring shift-left security and continuous compliance.
- Support onboarding of new cloud accounts, Kubernetes clusters, and services into CNAPP by configuring data ingestion, identity mapping, and policy enforcement.
- Analyze cloud usage patterns and integrate with DSPM capabilities to identify sensitive data, validate access controls, and reduce data exposure risks.
- Collaborate with SIEM/SOAR and observability teams to integrate CNAPP signals into detection and response workflows, improving visibility and incident response time.
- Participate in incident triage and root cause analysis, contributing to remediation strategies and continuous improvement of detection and response playbooks.
- 3 years of experience in cloud security engineering across AWS, GCP, and/or Azure, with exposure to hybrid or private cloud environments (e.g., OpenShift).
- Experience in leading the design, hands-on implementation, and scaling of CNAPP capabilities (e.g., Palo Cortex) across multi-cloud environments including AWS, Azure, GCP, and OpenShift-based private cloud.
- Strong understanding and enabled end-to-end :
- CSPM, CWPP, CIEM, container security, and runtime protection posture management
- Cloud misconfiguration management and remediation automation
- Experience securing Kubernetes/OpenShift environments, including container security, workload isolation, and OPA policy enforcement.
- Define and developing policy-as-code frameworks (e.g., Cloud Native, Hashi Sentinel) and Infrastructure-as-Code tools (e.g., Terraform).
- Analyzing and prioritize security findings across cloud environments, correlating misconfigurations, vulnerabilities, identity risks, and runtime threats by leveraging XQL and automation playbooks to drive remediation strategies.
- Experience in integrating Palo Cortex with on-prem capabilities such as SIEM/SOAR and observability platforms for continuous monitoring and threat detection with CNAPP signals.
- Experience in evaluating, onboard, and optimize CNAPP tools (Palo Alto Cortex, Wiz, or similar), ensuring full integration across cloud accounts, Kubernetes environments, andCI/CD pipelines.
- Knowledge of cloud security frameworks and benchmarks such as CIS Benchmarks, NIST, and Cloud Control Matrix (CCM). Having an understanding of network security, identity, and data protection domain and technical implementation framework across cloud platforms.
- Experience in developing and maintain cloud security reference architectures, detection patterns, and response playbooks aligned with enterprise governance and regulatory requirements.
- Strong analytical and problem-solving skills, with the ability to prioritize risks based on impact and exploitability.
- Experience working in Agile environments, collaborating across engineering, platform, and security teams.
At American Express, our culture is built on a 175-year history of innovation, shared values and Leadership Behaviors, and an unwavering commitment to back our customers, communities, and colleagues. From delivering differentiated products to providing world-class customer service, we operate with a strong risk mindset, ensuring we continue to uphold our brand promise of trust, security, and service.
As part of Team Amex, you’ll experience our powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills, develop as a leader, and grow your career. Here, your voice and ideas matter, your work makes an impact, and together, you will help us define the future of American Express.
Salary : $89,250 - $150,250