Role Overview
Manage Plan of Action & Milestones (POA&Ms) lifecycle, collect and maintain security control evidence, and analyze scan results for false positives. Collaborate with development, SRE, and infrastructure teams to integrate vulnerability management into CI/CD pipelines and cloud environments. Participate in change management processes to ensure continuous monitoring activities align with system changes and maintain compliance posture.
What You Will Do
Run regular and on-demand scans across operating systems, databases, web applications, and containers, then work with technical teams to create tickets for remediation. Track and document vendor dependencies, operational requirements, and open vulnerabilities, producing clear monthly reports and updates for clients.
Why It Might Be a Fit
You will work with a team of passionate problem-solvers who are hungry to learn, grow, and make a difference. You will have opportunities to join employee resource groups, participate in in-person and virtual events, and enjoy competitive perks and benefits to support you and your family.
Requirements
- 3–5 years of professional experience in vulnerability management, compliance monitoring, or related security operations roles
- Hands-on expertise with operating system, database, network, container, web application, and API vulnerability management
- Direct experience supporting vulnerability management in at least two of the following cloud providers: AWS, Azure, GCP
- Background working within at least one compliance framework (for example, FedRAMP, HITRUST, PCI), including risk assessment and reporting
- Administrator-level certification in AWS, Azure, or GCP
- Working knowledge of cloud architecture and security controls in AWS, Azure, or GCP
- Strong knowledge of vulnerability scanning technologies and methods, including scoring systems (CVSS, CMSS) and risk prioritization frameworks
- Understanding of NIST 800-53 security controls, particularly RA-5, SI-2, CM-6, and how continuous monitoring supports control implementation
- Experience with STIG benchmarks and automated compliance scanning tools (SCAP, SCC)
- Familiarity with baseline configuration standards (CIS Benchmarks, vendor hardening guides) and compliance posture reporting
- Ability to distinguish false positives from true vulnerabilities and articulate risk-based justifications for deviation requests
- Proficiency in scripting languages (Python, PowerShell, Bash) for task automation, report generation, and remediation workflows
- Strong client-facing communication and documentation skills, with ability to present technical findings to federal stakeholders and produce timely compliance reports
- Ability to work efficiently with cross-functional technical teams to investigate, prioritize, and coordin