Cybersecurity Engineer - Vulnerability Management

We're looking for a Cybersecurity Engineer to help us mature our vulnerability management program. You'll join our Cybersecurity team, a skilled group of programmers and security experts dedicated to keeping the firm safe. 

Vulnerability management is the focus of this role, but it doesn't tell the whole story—we want a well-rounded engineer whose knowledge spans the different facets of cybersecurity, because that broader perspective is what lets you reason well about real risk and where to spend effort.

Vulnerability management is a well-established part of how we keep the firm safe, and as we grow, we're continuing to invest in it, with a particular focus on automation and on scaling the program to keep pace with an expanding environment.

This is a hands-on, build-heavy role. We want someone with a strong technical foundation who isn't afraid to build something themselves, who has good judgment about what actually matters, and who can explain the "why" behind a risk and its mitigation. Manual triage doesn't scale at our size, so you'll lean on automation, including AI tooling paired with good judgment, knowing where it helps and when we need a human in the loop.

Your work will also include: 

• Supporting and improving the vulnerability management lifecycle end to end, from discovery and validation through triage, assignment, remediation tracking, and verification
• Reviewing new findings from automated scanning tools, threat intel, and security advisories, then prioritizing based on real exploitability and exposure rather than severity score alone, so we act on what genuinely matters
• Validating and deduplicating findings across sources, confirming whether an affected product or component is actually present, and routing work to the team that owns the fix
• Measuring scanning coverage and data quality and knowing what isn't being scanned, where scans are stale, and where authentication is failing, rather than assuming coverage is complete
• Driving automation across vulnerability management tooling and processes
• Broadening scanning coverage across asset classes, including evaluating and migrating scanning platforms as needed
• Bringing software inventory and SBOM data into the picture so we can answer where a vulnerable component is used across our software, not just what's running on a given host
• Building dashboards and metrics that measure coverage, SLAs, and progress

• You automate rather than do things by hand, keep your code and configs in version control by default, work comfortably under code review, and care about leaving things maintainable
• You’re comfortable working with data, querying and shaping it, and building and debugging the data pipelines and integrations that stitch messy, inconsistent inputs into something dependable
• You have hands-on vulnerability management experience in a substantial environment, including experience with an automated scanning platform such as Rapid7, Tenable, or Qualys, and an understanding of how scanning, asset inventory, and remediation tracking fit together
• You’re a measured responder who reasons about trade-offs and context, understands threat modeling, and knows not every finding deserves the same urgency
• You follow cybersecurity developments and can tell the difference between an interesting hack and what matters day-to-day
• You understand and practice good personal cybersecurity hygiene, and can talk to others about it
• You’re a clear communicator across audiences, who writes things down so others can follow
• You have a positive and collaborative attitude; You understand that a key component of cybersecurity is bringing others along with you on the journey

If you're a recruiting agency and want to partner with us, please reach out to [email protected]