Vulnerability Management Analyst
Dragonfli Group · United States · Yesterday
RemoteRemoteAnalystFull-time
Responsibilities
- Lead and manage end-to-end vulnerability disclosure programs (VDP), including coordination with ethical hackers, system owners, and agency stakeholders.
- Own attack surface management programs (e.g., CISA FAST), including scheduling, scope management, findings coordination, and POA&M documentation.
- Manage and update Standard Operating Procedures (SOPs), SharePoint repositories, and program tracking documentation.
- Lead recurring stakeholder syncs (weekly vulnerability management meetings, DMZ syncs, Security Report presentations).
- Operate and maintain enterprise vulnerability scanning platforms including Tenable.sc, Tenable.io, and web application scanning tools (OpenText ScanCentral or equivalent).
- Scope, schedule, execute, and report on vulnerability scans across large, complex federal environments.
- Analyze scan results to identify critical and high-severity findings; triage false positives; prioritize remediation activities.
- Manage hardware/software certification pipelines; process ServiceNow tickets within defined SLAs.
- Support transition from legacy tools to modernized scanning platforms with minimal operational disruption.
- Track and drive remediation of critical, high, and all severity-tiered vulnerabilities to closure within program SLAs.
- Maintain accurate POA&M records for all open findings across program scope.
- Produce and present vulnerability dashboards, compliance reports, and executive-level status briefings.
- Validate remediation effectiveness through post-remediation scanning and analysis.
- Monitor HTTPS/HSTS compliance and other BOD requirements (BOD 18-01, BOD 20-01, and others as applicable).
- Build and maintain working relationships with CISA contacts, agency system owners, SOC personnel, and contractor teams.
- Communicate vulnerability risks and remediation recommendations clearly to both technical and non-technical audiences.
- Serve as subject matter expert and primary point of contact for assigned programs.
- Provide backfill coverage across vulnerability management workstreams as needed.
Requirements
- Must-Have:
- 3+ years of hands-on vulnerability management experience within a federal agency environment.
- Demonstrated program ownership: VDP, attack surface management, or equivalent independently managed programs.
- Proficiency with Tenable.sc and/or Tenable.io (scan configuration, report generation, false positive management).
- Experience with CISA programs (VDP, FAST, BOD compliance) or equivalent federal cybersecurity initiatives.
- Working knowledge of ServiceNow or equivalent ITSM platforms for ticket management.
- Ability to produce clean, accurate SOPs, POA&Ms, and stakeholder-facing documentation.
- Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or equivalent practical experience.
- Active security clearance or eligibility to obtain one preferred.
- PREFERRED:
- Experience operating WebInspect, OpenText ScanCentral, or equivalent DAST/web application scanning tools.
- Familiarity with Bugcrowd or other managed bug bounty platforms.
- Experience with HSTS/HTTPS compliance monitoring aligned to BOD 18-01.
- Active certifications: Security+, CEH, CISSP, CISM, or Certified Vulnerability Assessor (CVA).
- Experience leading or co-leading standing meetings with federal stakeholders.
Benefits
- Health, Dental, and Vision Insurance
- PTO
- 401(k)
- Remote work flexibility
- Exposure to high-impact federal cybersecurity programs
- Direct access to firm leadership and career development opportunities