Jobs · Analyst

Vulnerability Management Analyst

Dragonfli Group · United States · Yesterday
RemoteRemoteAnalystFull-time

Responsibilities

  • Lead and manage end-to-end vulnerability disclosure programs (VDP), including coordination with ethical hackers, system owners, and agency stakeholders.
  • Own attack surface management programs (e.g., CISA FAST), including scheduling, scope management, findings coordination, and POA&M documentation.
  • Manage and update Standard Operating Procedures (SOPs), SharePoint repositories, and program tracking documentation.
  • Lead recurring stakeholder syncs (weekly vulnerability management meetings, DMZ syncs, Security Report presentations).
  • Operate and maintain enterprise vulnerability scanning platforms including Tenable.sc, Tenable.io, and web application scanning tools (OpenText ScanCentral or equivalent).
  • Scope, schedule, execute, and report on vulnerability scans across large, complex federal environments.
  • Analyze scan results to identify critical and high-severity findings; triage false positives; prioritize remediation activities.
  • Manage hardware/software certification pipelines; process ServiceNow tickets within defined SLAs.
  • Support transition from legacy tools to modernized scanning platforms with minimal operational disruption.
  • Track and drive remediation of critical, high, and all severity-tiered vulnerabilities to closure within program SLAs.
  • Maintain accurate POA&M records for all open findings across program scope.
  • Produce and present vulnerability dashboards, compliance reports, and executive-level status briefings.
  • Validate remediation effectiveness through post-remediation scanning and analysis.
  • Monitor HTTPS/HSTS compliance and other BOD requirements (BOD 18-01, BOD 20-01, and others as applicable).
  • Build and maintain working relationships with CISA contacts, agency system owners, SOC personnel, and contractor teams.
  • Communicate vulnerability risks and remediation recommendations clearly to both technical and non-technical audiences.
  • Serve as subject matter expert and primary point of contact for assigned programs.
  • Provide backfill coverage across vulnerability management workstreams as needed.

Requirements

  • Must-Have:
    • 3+ years of hands-on vulnerability management experience within a federal agency environment.
    • Demonstrated program ownership: VDP, attack surface management, or equivalent independently managed programs.
    • Proficiency with Tenable.sc and/or Tenable.io (scan configuration, report generation, false positive management).
    • Experience with CISA programs (VDP, FAST, BOD compliance) or equivalent federal cybersecurity initiatives.
    • Working knowledge of ServiceNow or equivalent ITSM platforms for ticket management.
    • Ability to produce clean, accurate SOPs, POA&Ms, and stakeholder-facing documentation.
    • Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or equivalent practical experience.
    • Active security clearance or eligibility to obtain one preferred.
  • PREFERRED:
    • Experience operating WebInspect, OpenText ScanCentral, or equivalent DAST/web application scanning tools.
    • Familiarity with Bugcrowd or other managed bug bounty platforms.
    • Experience with HSTS/HTTPS compliance monitoring aligned to BOD 18-01.
    • Active certifications: Security+, CEH, CISSP, CISM, or Certified Vulnerability Assessor (CVA).
    • Experience leading or co-leading standing meetings with federal stakeholders.

Benefits

  • Health, Dental, and Vision Insurance
  • PTO
  • 401(k)
  • Remote work flexibility
  • Exposure to high-impact federal cybersecurity programs
  • Direct access to firm leadership and career development opportunities

Similar jobs