Security Champions Program Guide: How to Scale AppSec Across Engineering

Why a Security Champions Program Matters

A security champion is a developer or platform engineer inside a product team who carries dedicated security responsibility on behalf of that team. The champion is not an AppSec specialist on rotation, and is not a dotted-line member of the security team. They are an engineer who already ships code in the team, already sits in the planning meetings, and already gets paged when a deploy goes wrong. Adding a champion to that team makes security a continuous, in-team activity rather than a quarterly visit from a function that is permanently outnumbered.

The economics are straightforward. Without champions, every secure code review, every finding triage call, and every threat model is a request that has to travel from the product team to the central AppSec function and back. A team of five reviewers cannot hold quality conversations with eighty product teams every sprint, no matter how good their tooling is. The result is the pattern most enterprises know well: triage queues grow, review SLAs slip, threat models go stale, and findings sit in spreadsheets while developers wait for someone to tell them what to do. Champions break that pattern by handling the first-pass conversation inside the team where the code lives.

For internal security leaders, AppSec leads, and product security organisations, the right framing is that a champions programme is not a substitute for the central function. It is the way the central function scales without growing linearly with engineering. The central team still defines the standard, owns the policy, runs the training, calibrates severity, signs off on the controversial calls, and produces the programme-level read for leadership. Champions extend the reach of that standard into every team that ships code. Done well, the programme also becomes the primary AppSec recruiting funnel: the engineers who take the work seriously self-select as future security hires.

Programme Goals: What a Champions Program Should Actually Deliver

Before you select anybody, write down what the programme is supposed to deliver in six months. Without this, every champion drifts into a different job and the central function cannot tell whether the programme is working. Most successful programmes pick three or four operating outcomes from the list below and tie them to measurable signals that already exist in the engagement record.

Selecting Champions: Who to Pick and Why

Selection is the single biggest predictor of whether the programme works. Get it wrong and the programme is a checkbox. Get it right and the programme compounds: champions become senior engineers, mentor junior engineers, and seed the next generation of champions on adjacent teams.

A champion needs three properties in roughly this order. First, the champion needs technical credibility inside the team. The champion should already be respected by their peers, otherwise security guidance will be quietly ignored. Second, the champion needs an instinct for the security mindset, the ability to think about how a system fails rather than how it succeeds. This is teachable, but it is faster to recruit for it than to build it from a standing start. Third, the champion needs the bandwidth to do the work. A senior engineer who is already at one hundred and twenty percent capacity will not be a good champion no matter how interested they are.

Avoid two common selection mistakes. Do not appoint the most junior person on the team because they looked enthusiastic in an offsite session. The role is more political than technical: the champion has to push back on senior engineers, decline scope expansions, and call findings critical when the team wants to call them low. A junior engineer cannot do that consistently. Do not appoint the team lead either. The team lead is already accountable for delivery, and their incentive to ship will reliably beat their incentive to slow down for a security review. Pick a senior engineer who is not the team lead but is trusted by the team lead.

Make the role a real role. Allocate explicit time, typically twenty to thirty percent of a sprint, and write the responsibilities into the engineer's objectives so it is not invisible work. Champions who do the work in their spare time burn out within two quarters. Champions whose objectives include the programme outcomes stay in the role for years.

Defining the Champion Role: Responsibilities and Boundaries

Write the role description as a one-page document and circulate it to engineering leadership before the programme launches. The document should be concrete enough that an engineering manager can decide whether to nominate a particular engineer, and concrete enough that a champion knows when to push back on a request that is out of scope. The scope and boundaries below have worked across most internal AppSec organisations.

Training Curriculum and Onboarding

Champions arrive with strong engineering skills but uneven security backgrounds. The programme owns their training. Plan the first six weeks deliberately and treat the curriculum as a continuing commitment rather than a one-off bootcamp.

A working onboarding curriculum has four chunks. The first chunk is foundations: the OWASP Top 10, the CVSS 3.1 vector, the team's severity calibration, the org's remediation SLAs, and the vocabulary the central function uses on findings. Our OWASP Top 10 explained and CVSS scoring explained posts are designed to be onboarding reading. The second chunk is review skills: the secure code review checklist, the threat modelling pattern, and a worked walk-through of a real finding from intake to closure. The third chunk is the team-specific surface: the technologies the team owns, the authentication model, the data the team handles, the deployment topology, and the threat actors that actually matter. The fourth chunk is shadowing: the new champion sits in on a live triage session, a live secure code review, and a live retest from the central function before owning anything alone.

After onboarding, run a continuing curriculum that mirrors the programme's actual workload. A monthly syndicate meeting where champions share recent findings, review near-misses, and walk through one threat model is a strong rhythm. A quarterly deep-dive on a specific topic (TLS pitfalls, OAuth edge cases, container hardening) keeps the technical content moving. An annual review with the central function ties the programme back to engineering objectives.

Make the training visible. Champions should be able to point to a list of completed training modules at performance review time. This is not just career-development theatre. It is how the programme survives organisational changes: when a new VP of engineering asks why fifteen engineers have a security allocation, the training record is the answer.

Finding Handoff: From the Central Function to the Champion

The handoff from the central function to the champion is the moment most programmes fall over. The most common failure is not the volume of findings; it is that findings arrive without enough context for the champion to act, so they bounce back to the central function for clarification. Design the handoff deliberately and most of that overhead disappears.

A clean handoff has six elements on every finding: a precise reproduction case, the affected component mapped to the team that owns it, the severity with the CVSS vector, the remediation guidance with language-specific examples, the agreed SLA, and the named champion as the assignee. If any of these is missing, the handoff is incomplete and the central function should not pass the finding across yet. This is the same record the rest of the organisation reads from, so any update the champion makes (status, evidence, retest result) is visible to the central function in real time without an extra status meeting.

Wire the handoff into the same workflow that the central function already runs. Our scanner result triage workflow covers the upstream side, where scanner output becomes triaged findings, and the remediation tracking workflow covers the downstream side, where the champion drives the finding to closure with retest evidence on the same record. The vulnerability prioritisation workflow governs which findings go to the champion first.

Set a default cadence. A standing weekly thirty-minute slot between the central reviewer and the champion clears the queue, addresses ambiguity, and prevents the handoff from becoming a long asynchronous chain that nobody wants to read. Treat it as a small operational meeting, not a programme review.

RBAC and the Single Operating Record

The programme runs on a single operating record. That sounds obvious, but many programmes operate from three or four parallel records: a tracker for the central function, a spreadsheet for the champion, a chat thread for the team lead, and a ticket queue for the engineers doing the work. Each record drifts from the others within a sprint, and the central function ends up reading the wrong number at programme reviews.

The fix is to scope every actor to the same record using role-based access control. The central function operates as workspace admin or member. Champions operate as members on the engagements that cover the services their team owns. Engineers fixing the issue see the finding through a scoped portal view that shows them the finding, the severity, the evidence, and the remediation guidance, without exposing the full platform. SecPortal's team management feature implements RBAC tiers (owner, admin, member, viewer, billing) so this scoping is a configuration decision rather than a custom build, and workspace-enforced MFA with AAL2 session promotion gates the access at the session layer. The read-only portal view covers the team-level audience that needs to read finding state without seeing the rest of the programme.

Anchor the work on the engagement record. SecPortal's findings management feature tracks each finding with a CVSS 3.1 vector, owner, evidence, and remediation status, and the engagement management feature carries the scope, attached documents, and team assignment for the work the champion is doing. Importing prior findings via Nessus, Burp Suite, or CSV keeps the record continuous when champions take over an existing service.

Governance Cadence: Syndicate, Reviews, and the Central Function

The programme runs on three rhythms that the central function controls. Without them, champions drift and the central function loses the read.

Audit Evidence and Compliance Mapping

For internal AppSec organisations sitting inside an enterprise, the champions programme is also an audit artefact. Multiple frameworks expect named ownership, documented training, and demonstrable triage behaviour, and a champions programme answers most of those questions if you keep the evidence on the same record the programme operates on.

ISO 27001 Annex A 8.8 (Management of technical vulnerabilities) expects a documented process for identifying, evaluating, and treating technical vulnerabilities, with named ownership for the evaluation. SOC 2 CC7.1 expects monitoring of system components and a defined response. PCI DSS Requirement 6.3 expects identification, prioritisation, and remediation of vulnerabilities tied to a documented role. NIST SP 800-53 RA-5 expects vulnerability scanning with response. Each of these maps naturally to the champion-as-owner model when the role description, training record, and per-finding triage decisions live on the same engagement record.

SecPortal's compliance tracking feature maps findings and controls to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST and exports the evidence pack as CSV when the auditor asks for it. The activity log keeps the timestamped chain of who did what (triage, status change, evidence upload, retest, closure) for findings, engagements, scans, documents, comments, invoices, and team changes, with plan retention of 30, 90, or 365 days. Pair the programme with our audit evidence half-life research to plan how long the evidence stays current and our security control drift research to plan recapture cadence between audits.

Document training as evidence. The programme's training curriculum, completion records, and the syndicate cadence are themselves audit artefacts. Attach the training material to the engagement record using the document management feature so the auditor reads training evidence from the same record they read the finding evidence from.

Metrics That Matter (and Metrics That Mislead)

Pick three or four programme metrics. Resist the temptation to instrument everything. The metrics that matter measure outcomes the central function actually wants to change. The metrics that mislead measure activity, which is easy to game and rarely correlates with outcome.

For the throughput-side metrics, anchor the definitions to the cycle-time stages in our remediation throughput research so the programme reads the same numbers the wider VM function reads, and use the reopen rate research to set a sensible threshold for when a champion's triage quality needs a coaching conversation.

Common Failure Modes and How to Avoid Them

Where the Programme Sits in the Wider Security Org

A champions programme is one workflow inside a wider AppSec or product security organisation. It sits alongside vulnerability management, compliance, scanner operations, and security leadership reporting. For an in-house engineering-side AppSec function, the programme is the team's primary scaling mechanism and the natural pairing with the SecPortal for AppSec teams workflow. For a cross-cutting product security organisation that sits between engineering, AppSec, vulnerability management, and incident response with PSIRT-style intake on top, the programme drives the engineering-side surface of the wider SecPortal for product security teams scope. For the platform engineers who run the scanner fleet, repository connections, and credential vault that the programme depends on, the SecPortal for security engineering teams workflow covers the underlying tooling stack the champions read from. For the CISO or director sponsoring the programme, the SecPortal for CISOs page covers how the programme's outcomes roll up into leadership reporting.

Pair the programme with adjacent enterprise workflows. The DevSecOps enterprise guide covers the CI/CD-side automation that complements the human champion in the team. The multi-team security operations guide covers the centralised, federated, and hybrid models the programme has to fit inside. The vulnerability management program guide covers the upstream and downstream workflow the champion plugs into.

Six-Month Launch Plan

For internal security leaders launching a champions programme, here is a workable six-month sequence. It is deliberately conservative: a programme that survives is worth far more than a programme that launches loudly and quietly stops in the second quarter.

1. Month one: write the role description, the operating outcomes, the metrics, and the training curriculum. Get sign-off from engineering leadership and the central security function. Pick the first three pilot teams.
2. Month two: recruit champions on the pilot teams. Run the foundations chunk of the curriculum. Wire the engagement record, the RBAC scoping, and the workspace MFA. Walk every champion through the operating record before they own anything.
3. Month three: begin the handoff. Pilot champions take ownership of triage on their teams under shadowing. The first syndicate meets. Track the latency metric from day one so the central function has a baseline.
4. Month four: expand to first-pass code review and lightweight threat modelling. Add three more teams to the pilot. Run the first programme review with the metrics you have, even if the data is thin.
5. Month five: fold the audit-evidence, training records, and compliance mapping into the engagement record. Run a calibration pass on severity decisions across champions to surface drift.
6. Month six: roll out to the next wave of teams. Promote the first cohort of champions to mentor the new ones. Run the first quarterly programme review with leadership and the first annual-style content review on the curriculum. Decide which operating outcomes graduate from tracking to committed for the next half.

Run the Programme on a Single Record

The single biggest operational lever a security champions programme has is recordkeeping. If the central function, the champion, and the engineer fixing the issue all read the same finding from the same record, the programme runs itself most of the time. If they each operate from a different record, the programme spends most of its energy reconciling. SecPortal is designed around that single record: findings management with CVSS 3.1 calibration, engagement management for the team-scoped scope, RBAC for champion access tiers, the read-only portal view for engineers, document management for training material, the activity log for the audit trail, and compliance tracking for the audit-evidence pack.

None of those features replace the role of a real champion. They make sure the work the champion does is visible to the central function, defensible to an auditor, and continuous across team rotations.