Information Security Analyst, Governance, Risk & Compliance (GRC)

About XBOW

At XBOW, we’re redefining the future of cybersecurity by building the world's first autonomous pentester, powered by AI. Today, the gold standard for securing software systems is human pentesters, but with the rise of artificial intelligence, we’re stepping up to scale offensive security to meet the ever-growing demand.

AI is transforming the landscape of both cybersecurity and cyberattacks. While millions of people without security expertise are creating software, bad actors are using AI to launch more effective attacks. XBOW fights back with AI-driven superpowers, enabling security teams to stay one step ahead.

What makes XBOW truly unique? Like human experts, it forges creative attacks, adapts its learnings, and continuously works to find vulnerabilities faster than anyone ever could. We’re not only simulating threats—we’re also finding and responsibly disclosing real-world vulnerabilities, ensuring organizations can fix issues before they’re exploited. XBOW isn’t just a tool; it’s a transformative force in the secure development lifecycle.

Backed by Sequoia Capital and a team that includes the creators of GitHub Copilot and GitHub Advanced Security, XBOW is not just keeping up with the times—we’re shaping the future of cybersecurity. Our mission is simple: to defeat the bad actors before they strike, using AI to revolutionize how we approach offensive security.

We’re building something that must be built, and we’re the team to do it. Join us in shaping the next frontier of autonomous security.

Your Role: Information Security Analyst, GRC

We’re looking for a detail-oriented, Governance, Risk & Compliance Analyst to help scale our security and trust function as we grow. In this role, you’ll play a key part in supporting customer and prospect security reviews, assessing third-party vendor risk, and continuously improving how we identify and manage risk across the business.

This is an individual contributor role with no initial people-management responsibilities. However, as the risk and compliance function matures, there is a clear opportunity for this role to grow in scope and responsibility.

You’ll work closely with Security, Engineering, Legal, Sales, and Customer teams, acting as a trusted partner in communicating our security posture and ensuring we meet customer and regulatory expectations.

What You'll Do

• Support customers and prospects by completing technical security questionnaires, risk assessments, and due-diligence requests
• Partner with Sales and Customer teams to explain XBOW’s security controls, architecture, and compliance posture
• Assess and manage third-party and vendor security risk, including reviews of SaaS providers and service partners
• Help maintain and improve risk assessment frameworks, methodologies, and documentation
• Track and support remediation of identified risks in collaboration with internal stakeholders
• Contribute to compliance initiatives aligned with frameworks such as SOC 2 and ISO 27001
• Maintain clear, well-structured risk registers, policies, and supporting evidence
• Coordinate risk management sessions and processes
• Identify opportunities to streamline and automate risk and compliance processes as the company scales

Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.

• Support audits, customer reviews, and internal assurance activities as needed
  
  

Who You Are

• 3–5+ years of experience in risk, compliance, security assurance, or related roles
• Hands-on experience completing or reviewing technical security questionnaires and customer risk assessments
• Familiarity and experience with common security and compliance frameworks (e.g. SOC 2, ISO 27001, NIST, FedRAMP)
• Comfortable assessing technical controls and working with engineers to understand system architecture
• Experience conducting or supporting vendor / third-party risk assessments
• Strong written communication skills, with the ability to explain complex security concepts clearly
• Highly organized and detail-oriented, with a pragmatic approach to risk
• Comfortable working in a fast-moving, remote-first startup environment
  
  

Bonus Points

• Experience working in a SaaS or security-focused company
• Security or risk certifications (e.g. CRISC, SOC2, ISO 27001 Lead Implementer, FedRAMP)
• Experience supporting a company through audit readiness or first-time compliance efforts
  
  

What We Offer

• Compensation & Equity: Competitive salary and meaningful stock options.
• Growth: Opportunity to learn from and collaborate with top security and AI experts
• Impact: Work on complex technical challenges that support the foundation of our company
• Remote-First:Work from anywhere, with regular opportunities to meet in person
  
  

What Else You Should Know

• Location: Remote US East Coast preferred (all team members are remote but we meet regularly and you’re supported to travel to collaborate with colleagues in person)
• Contract: Full-time.
• Hiring Process:
• Talent Introduction
• HM Interview
• Security Knowledge Interview
• We’d provide you some information live, and then ask you to analyze the information and provide a response from a security lens.
• Final Interview as needed
  

We’re a security company that builds with AI at the core - so you’ll be protecting a team that moves fast, iterates aggressively, and lives in the command line. If that sounds like your kind of environment, let’s talk.