Senior Vulnerability Analyst

Senior Vulnerability Analyst

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!

About the Role

Qualys is seeking a Senior Vulnerability Analyst to join the Product Security Incident Response Team (PSIRT) as a hands-on technical practitioner. Reporting to the Lead Vulnerability Analyst, you will execute the day-to-day work of vulnerability discovery, triage, analysis, and remediation tracking across a product portfolio of more than 35 products. Where the Lead owns program-level strategy, cross-functional accountability, and executive communications, this role is responsible for the depth and rigor of the technical analysis that underpins every PSIRT decision.

This is an individual contributor role for a mid-career security professional who thrives in the details: reviewing source code to assess exploitability, writing precise advisories, building detection logic, and driving engineering teams toward timely remediation. You will work across the full vulnerability lifecycle, from initial intake through coordinated disclosure, and contribute directly to the tools, automation, and processes that make the PSIRT function scale.

Key Responsibilities

Vulnerability Analysis & Triage

• Perform deep technical analysis of reported vulnerabilities, including root-cause investigation, exploitability assessment, CVSS and SSVC scoring, and impact determination across affected products.
• Triage incoming vulnerability reports from internal scanners, SCA tooling, external researchers, and coordinated disclosure channels, ensuring accurate classification and priority assignment.
• Analyze source code in C/C++, Java, and web application frameworks to validate vulnerability findings and assess the effectiveness of proposed fixes.
• Support major incident response efforts led by the Lead Vulnerability Analyst, providing technical depth during war-room triage of high-severity and zero-day vulnerabilities.

Detection, Monitoring & Threat Hunting

• Build and maintain alerting rules and detection automation to identify known and emerging vulnerabilities in production products and services.
• Continuously hunt for CVEs and CWEs affecting Qualys components, third-party dependencies, and container base images; document findings with reproducible analysis.
• Monitor public vulnerability databases, threat intelligence feeds, and researcher disclosures to proactively identify exposure across the product portfolio.
• Investigate vulnerability trends and systemic weakness patterns; surface findings to the Lead Vulnerability Analyst to inform program-level priorities.
• Coordinate with counterparts in Security Operations, including CERT

Remediation Tracking & SLA Compliance

• Track engineering remediation efforts against defined patching SLAs, maintaining accurate status records for every open vulnerability across product teams.
• Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines, working directly with product engineering owners.
• Review security exception requests, documenting technical justifications, compensating controls, and residual risk for Lead review and approval.
• Prepare SLA conformance reports and delinquency summaries for leadership review.

Advisory Authoring & Coordinated Disclosure

• Draft customer-facing Product Security Advisories (PSAs), ensuring technical accuracy, completeness, and consistency with PSIRT editorial standards.
• Coordinate with security testing teams to validate compensating controls, verify fix effectiveness, and confirm exploitability status prior to advisory publication.
• Support the Coordinated Vulnerability Disclosure (CVD) process by managing researcher communications, tracking disclosure timelines, and preparing disclosure packages under the direction of the Lead.

Toolchain & Process Improvement

• Develop and enhance PSIRT tooling, including SCA and SAST integration workflows, SBOM analysis pipelines, container security, and vulnerability data lake ingestion.
• Maintain and improve PSIRT runbooks, triage playbooks, and standard operating procedures based on lessons learned and evolving threat landscape.
• Build and refine dashboards and reporting artifacts that surface vulnerability posture, remediation velocity, and trend data for leadership and audit consumption.

Required Qualifications

• 5+ years of experience in vulnerability analysis, product security, application security, or security engineering.
• 2+ years of experience operating within a PSIRT, CERT, or comparable vulnerability coordination function.
• Strong written and verbale communication skills and attention to detail in technical documentation.
• Strong technical skills in vulnerability analysis, including root-cause investigation, exploitability assessment, and CVSS/SSVC scoring.
• Demonstrated proficiency in operating system security (Linux), container security, and web application security.
• Working knowledge of C/C++, Java, and SaaS platform architectures sufficient to perform code-level vulnerability assessment.
• Hands-on experience with CVE/CWE analysis workflows, vulnerability databases, and threat intelligence sources.
• Experience drafting security advisories or technical vulnerability write-ups for external audiences.

Preferred Qualifications

• Experience with offensive security techniques, penetration testing, or red team operations.
• Familiarity with vulnerability handing standards and best practices.
• Hands-on experience with SCA tools (e.g., Black Duck, Snyk, Trivy), SAST platforms, and SBOM tooling (SPDX, CycloneDX).
• Familiarity with NIST SSDF, Coordinated Vulnerability Disclosure frameworks, and product security lifecycle models.
• Experience building detection rules, alerting logic, or security automation in scripting languages such as Python or Go.
• Exposure to data lake architectures, security telemetry pipelines, or vulnerability analytics platforms.
• Active participation in the security community through CTFs, research publications, conference presentations, or open-source contributions.
• Relevant certifications such as OSCP, GPEN, GWAPT, CSSLP, or equivalent.

How This Role Relates to the Lead

The Lead Vulnerability Analyst owns PSIRT program strategy, cross-functional escalation authority, executive reporting, and external disclosure relationships. The Senior Vulnerability Analyst provides the technical execution layer: performing the detailed analysis, writing the initial advisory drafts, building the detection and tracking infrastructure, and ensuring every vulnerability has a complete, auditable record from intake through closure. Together, the two roles form the analytical core of the PSIRT function.

Why Qualys

• Join a PSIRT function that is purpose-built to operate at the intersection of engineering accountability and security excellence.
• Work with a product portfolio that protects critical infrastructure across enterprise and government environments worldwide.
• Shape the vulnerability management practices of a company whose core mission is security.
• Collaborate with a leadership team that values operational rigor, transparency, and continuous improvement.

Experience Level

Senior Level