Senior Vulnerability Analyst

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! About the Role Qualys is seeking a   Senior   Vulnerability   Analyst   to join the Product Security Incident Response Team (PSIRT) as a hands-on technical practitioner. Reporting to the Lead   Vulnerability   Analyst , you will execute the day-to-day work of   vulnerability   discovery, triage, analysis, and remediation tracking across a product portfolio of more than 35 products. Where the Lead owns program-level strategy, cross-functional accountability, and executive communications, this role is responsible for the depth and rigor of the technical analysis that underpins every PSIRT decision. This is an individual contributor role for a mid-career security professional who thrives in the details: reviewing source code to assess exploitability, writing precise advisories, building detection logic, and driving engineering teams toward timely remediation. You will work across the full   vulnerability   lifecycle, from initial intake through coordinated disclosure, and contribute directly to the tools, automation, and processes that make the PSIRT function scale. Key Responsibilities Vulnerability Analysis & Triage Perform deep technical analysis of reported vulnerabilities, including root-cause investigation, exploitability assessment, CVSS and SSVC scoring, and impact determination across affected products. Triage incoming   vulnerability   reports from internal scanners, SCA tooling, external researchers, and coordinated disclosure channels, ensuring accurate classification and priority assignment. Analyze source code in C/C++, Java, and web application frameworks to validate   vulnerability   findings and assess the effectiveness of proposed fixes. Support major incident response efforts led by the Lead   Vulnerability   Analyst , providing technical depth during war-room triage of high-severity and zero-day vulnerabilities. Detection, Monitoring & Threat Hunting Build and maintain alerting rules and detection automation to identify known and emerging vulnerabilities in production products and services. Continuously hunt for CVEs and CWEs affecting Qualys components, third-party dependencies, and container base images; document findings with reproducible analysis. Monitor public   vulnerability   databases, threat intelligence feeds, and researcher disclosures to proactively identify exposure across the product portfolio. Investigate   vulnerability   trends and systemic weakness patterns; surface findings to the Lead   Vulnerability   Analyst   to inform program-level priorities. Coordinate with counterparts in Security Operations, including CERT Remediation Tracking & SLA Compliance Track engineering remediation efforts against defined patching SLAs, maintaining accurate status records for every open   vulnerability   across product teams. Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines, working directly with product engineering owners. Review security exception requests, documenting technical justifications, compensating controls, and residual risk for Lead review and approval. Prepare SLA conformance reports and delinquency summaries for leadership review. Advisory Authoring & Coordinated Disclosure Draft customer-facing Product Security Advisories (PSAs), ensuring technical accuracy, completeness, and consistency with PSIRT editorial standards. Coordinate with security testing teams to validate compensating controls, verify fix effectiveness, and confirm exploitability status prior to advisory publication. Support the Coordinated   Vulnerability   Disclosure (CVD) process by managing researcher communications, tracking disclosure timelines, and preparing disclosure packages under the direction of the Lead. Toolchain & Process Improvement Develop and enhance PSIRT tooling, including SCA and SAST integration workflows, SBOM analysis pipelines, container security, and   vulnerability   data lake ingestion. Maintain and improve PSIRT runbooks, triage playbooks, and standard operating procedures based on lessons learned and evolving threat landscape. Build and refine dashboards and reporting artifacts that surface   vulnerability   posture, remediation velocity, and trend data for leadership and audit consumption. Required Qualifications 5+ years of experience in   vulnerability   analysis, product security, application security, or security engineering. 2+ years of experience operating within a PSIRT, CERT, or comparable   vulnerability   coordination function. Strong written and verbale communication skills and attention to detail in technical documentation. Strong technical skills in   vulnerability   analysis, including root-cause investigation, exploitability assessment, and CVSS/SSVC scoring. Demonstrated proficiency in operating system security (Linux), container security, and web application security. Working knowledge of C/C++, Java, and SaaS platform architectures sufficient to perform code-level   vulnerability   assessment. Hands-on experience with CVE/CWE analysis workflows,   vulnerability   databases, and threat intelligence sources. Experience drafting security advisories or technical   vulnerability   write-ups for external audiences. Preferred Qualifications Experience with offensive security techniques, penetration testing, or red team operations. Familiarity with   vulnerability   handing standards and best practices. Hands-on experience with SCA tools (e.g., Black Duck, Snyk, Trivy), SAST platforms, and SBOM tooling (SPDX, CycloneDX). Familiarity with NIST SSDF, Coordinated   Vulnerability   Disclosure frameworks, and product security lifecycle models. Experience building detection rules, alerting logic, or security automation in scripting languages such as Python or Go. Exposure to data lake architectures, security telemetry pipelines, or   vulnerability   analytics platforms. Active participation in the security community through CTFs, research publications, conference presentations, or open-source contributions. Relevant certifications such as OSCP, GPEN, GWAPT, CSSLP, or equivalent. How This Role Relates to the Lead The Lead   Vulnerability   Analyst   owns PSIRT program strategy, cross-functional escalation authority, executive reporting, and external disclosure relationships. The   Senior   Vulnerability   Analyst   provides the technical execution layer: performing the detailed analysis, writing the initial advisory drafts, building the detection and tracking infrastructure, and ensuring every   vulnerability   has a complete, auditable record from intake through closure. Together, the two roles form the analytical core of the PSIRT function. Why Qualys Join a PSIRT function that is purpose-built to operate at the intersection of engineering accountability and security excellence. Work with a product portfolio that protects critical infrastructure across enterprise and government environments worldwide. Shape the   vulnerability   management practices of a company whose core mission is security. Collaborate with a leadership team that values operational rigor, transparency, and continuous improvement.