Lead Vulnerability Analyst

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!

Qualys is seeking a Lead Vulnerability Analyst to serve as a senior technical leader within the Product Security Incident Response Team (PSIRT). This individual will own the end-to-end lifecycle of vulnerability identification, triage, coordination, and disclosure across the Qualys product portfolio. You will operate at the intersection of security engineering, incident response, and cross-functional program management, ensuring that Qualys products maintain the highest security posture for our global customer base.

This is a high-visibility role requiring deep technical expertise, collaboration, executive communication skills, and the judgment to navigate complex vulnerability scenarios under pressure. You will work closely with Engineering, Product Management, and Security leadership to drive accountability, accelerate remediation, and continuously mature the PSIRT function. This is a role for a mid-career professional that operates like an owner.

Vulnerability Assessment & Incident Coordination

• Assess and triage vulnerabilities reported through internal discovery, external researchers, and automated tooling across the Qualys product portfolio of more than 35 products.
• Coordinate software incident handling across Engineering, Product, and Security teams in alignment with ISO/IEC 30111 and ISO/IEC 29147 standards.
• Lead major incident response for high-severity and zero-day vulnerabilities, managing cross-functional war rooms through resolution.

Detection, Alerting & Trend Analysis

• Instrument and operate alerting systems to detect production vulnerabilities in shipped products and services.
• Hunt for CVEs and CWEs affecting Qualys components, dependencies, and third-party integrations; identify recurring vulnerability trends and systemic weaknesses.
• Enable and manage escalation workflows, ensuring critical findings reach decision-makers with appropriate context and urgency.

Policy, Compliance & SLA Enforcement

• Review and enforce security policies governing test automation, build configurations, and production incident handling.
• Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines
• Assess engineering requests for security exceptions, documenting risk acceptance decisions and compensating controls.
• Hold Product and Engineering teams accountable for patching within defined SLAs, tracking remediation velocity and reporting delinquencies to leadership.

Advisories & Coordinated Vulnerability Disclosure

• Author, review, and publish Product Security Advisories (PSAs) in compliance with CSAF VEX format requirements.
• Run the Coordinated Vulnerability Disclosure (CVD) process end-to-end, managing relationships with external researchers, CERTs, and industry partners.
• Coordinate security testing and validation of compensating controls, fixes, and exploitability status prior to advisory publication.

Toolchain, Process & Continuous Improvement

• Support the development and maturation of a best-in-class PSIRT toolchain, including SBOM analysis, SCA, SAST integration, container security, and vulnerability data lake infrastructure.
• Continuously improve PSIRT runbooks, standard operating procedures, and playbooks to increase response speed, consistency, customer communications, stakeholder management, and audit-readiness.
• Contribute to the design and operationalization of metrics and dashboards that provide leadership visibility into vulnerability posture and remediation trends.

• 7+ years of experience in vulnerability management, product security, application security, or security engineering.
• 3+ years of experience leading or operating within a PSIRT, CERT, or comparable incident response function.
• Demonstrated leadership in major incident handling, escalation management, and cross-functional coordination under time pressure.
• Deep technical expertise in operating system security (Linux), container security, client-side product security, and web application security.
• Strong domain knowledge of C/C++, Java, and SaaS platform architectures, with the ability to assess vulnerability impact at the code level.
• Hands-on experience with CVE/CWE analysis, CVSS scoring, SSVC scoring
• Expertise managing, leading, or materially supporting Coordinated Vulnerability Disclosure Programs
• Strong written and verbal communications skills, experience authoring customer-facing security advisories and communicating technical risk to executive and non-technical audiences.

• Previous experience leading or contributing to offensive security, red teaming, or penetration testing operations.
• Familiarity with NIST SSDF, Coordinated Vulnerability Disclosure, and product security framewroks
• Experience with SCA tools (e.g., Black Duck, Snyk, Trivy), SAST platforms, and SBOM generation tooling (SPDX, CycloneDX).
• Hands-on expertise in C/C++, Java, and SaaS platform architectures
• Proficiency with data lake architectures, security telemetry pipelines, and vulnerability analytics platforms.
• Active participation in the broader security community through research publications, conference presentations, or open-source contributions.
• Relevant certifications such as OSCP, OSCE, GPEN, GXPN, CSSLP, or equivalent.

• Join a PSIRT function that is purpose-built to operate at the intersection of engineering accountability and security excellence.
• Work with a product portfolio that protects critical infrastructure across enterprise and government environments worldwide.
• Shape the vulnerability management practices of a company whose core mission is security.
• Collaborate with a leadership team that values operational rigor, transparency, and continuous improvement.