Amex GBT runs a B2B travel platform that touches a $1.4 trillion industry across 140+ countries - meaning the attack surface is massive: payment data, traveler PII, corporate expense flows, and meeting logistics all flowing through systems that bad actors have every incentive to target. The company went public in 2022 after merging with Apollo Strategic Growth Capital, and carries the regulatory and compliance weight you'd expect from a NYSE-listed entity processing sensitive financial and travel data at global scale.
The threat model here is broad. Corporate travel means handling passport details, travel itineraries, loyalty program credentials, and expense data for some of the world's largest enterprises. That's a rich target set - identity theft, business email compromise, and fraud pipelines all converge on the data Amex GBT stewards. The platform serves companies of all sizes, which means security architecture has to work across wildly different integration contexts and risk tolerances.
With roughly 18,000–19,000 employees and travel professionals spread across more than 140 countries, the operational complexity is real. Security teams here aren't just defending a single product - they're working across software, services, and managed travel operations where the perimeter is wherever a traveler logs in. The publicly traded status adds another layer: SOX compliance, SEC reporting obligations, and the scrutiny that comes with institutional investors watching.