Staff Security Engineer (IAM) - BR - 2026

Nubank · Brazil, Belo Horizonte; Brazil, Campinas; Brazil, Rio de Janeiro; Brazil, Sao Paulo

About Us

Nu is one of the largest digital financial platforms in the world, with more than 122 million customers across Brazil, Mexico, and Colombia. Guided by our mission to fight complexity and empower people, we are redefining financial services in Latin America and this is still just the beginning of the purple future we're building.

Listed on the New York Stock Exchange (NYSE: NU), we combine proprietary technology, data intelligence, and an efficient operating model to deliver financial products that are simple, accessible, and human.
Our impact has been recognized by global rankings such as Time 100 Companies, Fast Company’s Most Innovative Companies, and Forbes World’s Best Bank. Visit our institutional page https://international.nubank.com.br/careers/

About the Role

Nubank is seeking a Staff Security Engineer to contribute in the Identity and Access Management security function across a financial technology organization serving over 100 million customers in Brazil, Mexico, and Colombia.
This is a senior individual-contributor role with organizational-level technical influence, responsible for supporting a multi-year IAM security strategy, directing its execution across multiple engineering teams, and ensuring that identity and access controls meet the security, regulatory, and operational requirements of a globally operating financial institution.

The Staff Security Engineer is expected to bring a demonstrated history of delivering consequential security programs — including programs that encountered setbacks — and the technical judgment that only sustained, hands-on experience in the domain produces.
Critically, this role requires a security engineering philosophy grounded in business enablement: the conviction that security done well accelerates what the organization can do, not merely protects it. This means rigorously distinguishing between controls that reduce real risk and those that create the appearance of compliance without reducing exposure, taking genuine ownership of outcomes rather than delegating accountability through policy, and continuously questioning inherited assumptions about what security measures are necessary, sufficient, or proportionate.

What You’ll Be Responsible For

Defining, communicating, and executing a multi-year security strategy (especially in the IAM field) aligned with the organization's risk posture, regulatory obligations, and business objectives across multiple countries and regulatory jurisdictions.
Lead organization-wide authentication migrations that span heterogeneous surfaces — browser, operating system login, CLI tooling, and API-level integrations — across thousands of employees, multiple device ecosystems, and distributed work environments, producing measurable outcomes: authentication success rates above 99%, material reductions in per-authentication time, support exception rates below 1%, and return on investment within weeks of enforcement.
Designing and maintaining the core identity infrastructure with the durability and operational discipline required at organizational scale: enterprise Identity Provider, PKI and X.509 certificate lifecycle automation, mutual TLS for service-to-service authentication, and credential management systems engineered to remain sound as the organization grows.
Translating least-privilege access from a principle into a measurable, organization-wide program — with defined metrics, visible adoption curves, and accountability structures that allow Security and Engineering leadership to track and act on the organization's access risk posture over time.
Designing and maintaining a security engineering framework — comprising technical mechanisms, policies, incentives, and assurance processes — that ensures security properties are durable, verifiable, and operationally sound, rather than dependent on individual vigilance or periodic audits.
Leading technical incident response for identity and access security events, including critical vulnerabilities in remote access infrastructure, ensuring thorough investigation, documented root cause analysis, and structural improvements that reduce the likelihood and impact of recurrence.
Designing and facilitating large-scale preparedness exercises grounded in realistic attack paths — involving engineering, operations, and executive functions — to identify genuine gaps in IAM controls, not merely satisfy a compliance requirement.
Providing technical mentorship and coaching to senior engineers; lead innovative projects with universities and actively collaborate in hiring and career decisions in order to maintain a high technical standard throughout the safety organization.
Serving as the technical authority in engagements with Legal, Compliance, internal audit, and external regulators on matters related to identity, authentication, and access control.

We Are Looking for a Person Who Has

Must-have

+15 years of professional experience in security engineering, with a concentration in identity, authentication, or access management.
Demonstrated track record of leading complex, multi-year security programs from conception through measurable outcome — including programs that required navigating organizational obstacles, technical constraints, or material mid-course corrections.
Expert-level knowledge of IAM and authentication protocols: OIDC, OAuth 2.0, SAML 2.0, FIDO2/WebAuthn, mTLS, and Public Key Infrastructure (PKI).
Proficiency in software engineering: ability to produce, review, and reason about production-quality code in at least one general-purpose programming language.
Demonstrated ability to model identity-related threat scenarios, assess attacker techniques relevant to the IAM surface, and design controls that remain effective under adversarial conditions.
A demonstrable commitment to security as an organizational capability that enables business outcomes: a track record of solving real security problems, a disposition to challenge inherited security assumptions, and a clear pattern of distinguishing genuine risk reduction from security theater or responsibility transfer.
Experience communicating technical risk assessments and strategic recommendations to senior non-technical stakeholders, including executives and regulators.

Nice-to-have

Experience operating within a financial services institution or similarly regulated environment subject to multiple concurrent regulatory frameworks.
Hands-on experience administering or integrating with an enterprise Identity Provider at scale, particularly Okta, or Keycloak.
Experience designing and enforcing security controls for third-party, BPO, or partner environments without direct operational control of the partner's infrastructure.
Experience leading organizational adoption of Zero Trust architecture, including authentication and authorization mechanisms for hybrid and multi-cloud environments.
Contributions to the broader security community — published research, conference presentations, open-source tooling, or participation in standards bodies.

Our Benefits

Chance of earning equity at Nubank
Food/ Meal Card (Vale-Refeição and/or Vale Alimentação)
Public Transportation Commuting Benefit (Vale-Transporte)
NuCare – Psychological, Financial and Legal Assistance Program
Life Insurance
Medical Plan
Dental Plan
NuLanguage – Language Course Program
Nucleo - Our learning platform of courses
Extended Parental Leave
Daycare Allowance
Parental Consultancy
Work-from-home Allowance
Gym Partnerships
30 days of paid vacation

Work Model for this Role

Hybrid 2-3 times/week: Our hybrid work model brings us to the office at least twice a week, on strategic days designed to maximize team connection and collaboration. For more details, visit https://building.nubank.com/nu-hybrid-work-model/

Security pay context

Based on 1,651 disclosed Security salaries on RoleSuite, the role pays a median of $142K/year, with most offers between $114K and $180K (10th–90th percentile: $92K–$216K).

See the full Security salary breakdown →

Apply →