Vulnerability Analyst

What You'll Do

• Manage Plan of Action & Milestones (POA&Ms) lifecycle including creation, tracking, risk adjustment justification, and deviation requests in coordination with 3PAO assessors and federal stakeholders
• Collect, organize, and maintain security control evidence and artifacts for monthly continuous monitoring deliverables and assessment/authorization activities, ensuring alignment with FedRAMP, HITRUST, PCI, and similar frameworks
• Maintain accurate system inventory and authorization boundary documentation to ensure scanning scope aligns with approved system boundaries
• Analyze scan results for false positives, document justifications, and prepare deviation requests with supporting risk assessments
• Translate technical vulnerability findings into risk-based language for federal clients and authorization officials, presenting monthly status briefings as needed
• Collaborate with development, SRE, and infrastructure teams to integrate vulnerability management into CI/CD pipelines, cloud environments (AWS, Azure, GCP), and container/Kubernetes platforms
• Participate in change management processes to ensure continuous monitoring activities align with system changes and maintain compliance posture
• Support and maintain enterprise vulnerability management tools (such as Tenable, Nessus, Burp, Qualys, Rapid7, Wiz, Prisma, Microsoft Defender), ensuring timely updates and patches
• Run regular and on-demand scans across operating systems, databases, web applications, and containers, then work with technical teams to create tickets for remediation
• Track and document vendor dependencies, operational requirements, and open vulnerabilities, producing clear monthly reports and updates for clients
• Contribute to improving internal standards and processes, including maintaining documentation, training materials, and standard operating procedures

What You'll Bring

• 3–5 years of professional experience in vulnerability management, compliance monitoring, or related security operations roles
• Hands-on expertise with operating system, database, network, container, web application, and API vulnerability management
• Direct experience supporting vulnerability management in at least two of the following cloud providers: AWS, Azure, GCP
• Background working within at least one compliance framework (for example, FedRAMP, HITRUST, PCI), including risk assessment and reporting
• Experience delivering monthly or periodic vulnerability status reports and tracking remediation efforts with internal and external teams
• Administrator-level certification in AWS, Azure, or GCP
• Working knowledge of cloud architecture and security controls in AWS, Azure, or GCP, including ability to assess attack surfaces and recommend cloud-native remediation approaches
• Strong knowledge of vulnerability scanning technologies and methods, including scoring systems (CVSS, CMSS) and risk prioritization frameworks
• Understanding of NIST 800-53 security controls, particularly RA-5, SI-2, CM-6, and how continuous monitoring supports control implementation
• Experience with STIG benchmarks and automated compliance scanning tools (SCAP, SCC)
• Familiarity with baseline configuration standards (CIS Benchmarks, vendor hardening guides) and compliance posture reporting
• Ability to distinguish false positives from true vulnerabilities and articulate risk-based justifications for deviation requests
• Proficiency in scripting languages (Python, PowerShell, Bash) for task automation, report generation, and remediation workflows
• Strong client-facing communication and documentation skills, with ability to present technical findings to federal stakeholders and produce timely compliance reports
• Ability to work efficiently with cross-functional technical teams to investigate, prioritize, and coordinate vulnerability remediation efforts
• Bachelor’s degree or equivalent work experience.
• US citizenship (required due to client contractual requirements)

Bonus Points

• Security-focused cloud certifications for AWS, Azure, or GCP
• CISSP certification
• Familiarity with container security scanning tools (Trivy, Anchore, Snyk) and Kubernetes security postures
• Knowledge of software composition analysis (SCA) and static/dynamic application security testing (SAST/DAST) tools
• Familiarity with CI/CD security integration patterns and DevSecOps toolchains