Coordinate software incident handling across Engineering, Product, and Security teams in alignment with ISO/IEC 30111 and ISO/IEC 29147 standards.
Lead major incident response for high-severity and zero-day vulnerabilities, managing cross-functional war rooms through resolution.
Enable and manage escalation workflows, ensuring critical findings reach decision-makers with appropriate context and urgency.
Policy, Compliance & SLA Enforcement Review and enforce security policies governing test automation, build configurations, and production incident handling.
Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines Assess engineering requests for security exceptions, documenting risk acceptance decisions and compensating controls.
Hold Product and Engineering teams accountable for patching within defined SLAs, tracking remediation velocity and reporting delinquencies to leadership.
Run the Coordinated Vulnerability Disclosure (CVD) process end-to-end, managing relationships with external researchers, CERTs, and industry partners.
Coordinate security testing and validation of compensating controls, fixes, and exploitability status prior to advisory publication.
Shape the vulnerability management practices of a company whose core mission is security.
Collaborate with a leadership team that values operational rigor, transparency, and continuous improvement.
Requirements
Toolchain, Process & Continuous Improvement Support the development and maturation of a best-in-class PSIRT toolchain, including SBOM analysis, SCA, SAST integration, container security, and vulnerability data lake infrastructure.
experience leading or operating within a PSIRT, CERT, or comparable incident response function.
Deep technical expertise in operating system security (Linux), container security, client-side product security, and web application security.
Strong domain knowledge of C/C++, Java, and SaaS platform architectures, with the ability to assess vulnerability impact at the code level. Hands-on
experience with CVE/CWE analysis, CVSS scoring, SSVC scoring Expertise managing, leading, or materially supporting Coordinated Vulnerability Disclosure Programs Strong written and verbal communications skills,
experience leading or contributing to offensive security, red teaming, or penetration testing operations.
Familiarity with NIST SSDF, Coordinated Vulnerability Disclosure, and product security framewroks
Experience with SCA tools (e.g., Black Duck, Snyk, Trivy), SAST platforms, and SBOM generation tooling (SPDX, CycloneDX).
Hands-on expertise in C/C++, Java, and SaaS platform architectures Proficiency with data lake architectures, security telemetry pipelines, and vulnerability analytics platforms.
Relevant certifications such as OSCP, OSCE, GPEN, GXPN, CSSLP, or equivalent.
Experience
Qualifications 7+ years of
experience in vulnerability management, product security, application security, or security engineering. 3+ years of
Additional details
Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!
About the Role Qualys is seeking a Lead Vulnerability Analyst to serve as a senior technical leader within the Product Security Incident Response Team (PSIRT).
This individual will own the end-to-end lifecycle of vulnerability identification, triage, coordination, and disclosure across the Qualys product portfolio.
You will operate at the intersection of security engineering, incident response, and cross-functional program management, ensuring that Qualys products maintain the highest security posture for our global customer base.
This is a high-visibility role requiring deep technical expertise, collaboration, executive communication skills, and the judgment to navigate complex vulnerability scenarios under pressure.
You will work closely with Engineering, Product Management, and Security leadership to drive accountability, accelerate remediation, and continuously mature the PSIRT function.
This is a role for a mid-career professional that operates like an owner. Key
Responsibilities Vulnerability Assessment & Incident Coordination Assess and triage vulnerabilities reported through internal discovery, external researchers, and automated tooling across the Qualys product portfolio of more than 35 products.
Detection, Alerting & Trend Analysis Instrument and operate alerting systems to detect production vulnerabilities in shipped products and services.
Advisories & Coordinated Vulnerability Disclosure Author, review, and publish Product Security Advisories (PSAs) in compliance with CSAF VEX format requirements.