Job Description

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!

About the Role

Qualys is seeking a SeniorVulnerabilityAnalystto join the Product Security Incident Response Team (PSIRT) as a hands-on technical practitioner. Reporting to the Lead VulnerabilityAnalyst, you will execute the day-to-day work of vulnerabilitydiscovery, triage, analysis, and remediation tracking across a product portfolio of more than 35 products. Where the Lead owns program-level strategy, cross-functional accountability, and executive communications, this role is responsible for the depth and rigor of the technical analysis that underpins every PSIRT decision.

This is an individual contributor role for a mid-career security professional who thrives in the details: reviewing source code to assess exploitability, writing precise advisories, building detection logic, and driving engineering teams toward timely remediation. You will work across the full vulnerabilitylifecycle, from initial intake through coordinated disclosure, and contribute directly to the tools, automation, and processes that make the PSIRT function scale.

Key Responsibilities

Vulnerability Analysis & Triage

• Perform deep technical analysis of reported vulnerabilities, including root-cause investigation, exploitability assessment, CVSS and SSVC scoring, and impact determination across affected products.
• Triage incoming vulnerabilityreports from internal scanners, SCA tooling, external researchers, and coordinated disclosure channels, ensuring accurate classification and priority assignment.
• Analyze source code in C/C++, Java, and web application frameworks to validate vulnerabilityfindings and assess the effectiveness of proposed fixes.
• Support major incident response efforts led by the Lead VulnerabilityAnalyst, providing technical depth during war-room triage of high-severity and zero-day vulnerabilities.

Detection, Monitoring & Threat Hunting

• Build and maintain alerting rules and detection automation to identify known and emerging vulnerabilities in production products and services.
• Continuously hunt for CVEs and CWEs affecting Qualys components, third-party dependencies, and container base images; document findings with reproducible analysis.
• Monitor public vulnerabilitydatabases, threat intelligence feeds, and researcher disclosures to proactively identify exposure across the product portfolio.
• Investigate vulnerabilitytrends and systemic weakness patterns; surface findings to the Lead VulnerabilityAnalystto inform program-level priorities.
• Coordinate with counterparts in Security Operations, including CERT

Remediation Tracking & SLA Compliance

• Track engineering remediation efforts against defined patching SLAs, maintaining accurate status records for every open vulnerabilityacross product teams.
• Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines, working directly with product engineering owners.
• Review security exception requests, documenting technical justifications, compensating controls, and residual risk for Lead review and approval.
• Prepare SLA conformance reports and delinquency summaries for leadership review.

Advisory Authoring & Coordinated Disclosure

• Draft customer-facing Product Security Advisories (PSAs), ensuring technical accuracy, completeness, and consistency with PSIRT editorial standards.
• Coordinate with security testing teams to validate compensating controls, verify fix effectiveness, and confirm exploitability status prior to advisory publication.
• Support the Coordinated VulnerabilityDisclosure (CVD) process by managing researcher communications, tracking disclosure timelines, and preparing disclosure packages under the direction of the Lead.

Toolchain & Process Improvement

• Develop and enhance PSIRT tooling, including SCA and SAST integration workflows, SBOM analysis pipelines, container security, and vulnerabilitydata lake ingestion.
• Maintain and improve PSIRT runbooks, triage playbooks, and standard operating procedures based on lessons learned and evolving threat landscape.
• Build and refine dashboards and reporting artifacts that surface vulnerabilityposture, remediation velocity, and trend data for leadership and audit consumption.

Required Qualifications

• 5+ years of experience in vulnerabilityanalysis, product security, application security, or security engineering.
• 2+ years of experience operating within a PSIRT, CERT, or comparable vulnerabilitycoordination function.
• Strong written and verbale communication skills and attention to detail in technical documentation.
• Strong technical skills in vulnerabilityanalysis, including root-cause investigation, exploitability assessment, and CVSS/SSVC scoring.
• Demonstrated proficiency in operating system security (Linux), container security, and web application security.
• Working knowledge of C/C++, Java, and SaaS platform architectures sufficient to perform code-level vulnerabilityassessment.
• Hands-on experience with CVE/CWE analysis workflows, vulnerabilitydatabases, and threat intelligence sources.
• Experience drafting security advisories or technical vulnerabilitywrite-ups for external audiences.

Preferred Qualifications

• Experience with offensive security techniques, penetration testing, or red team operations.
• Familiarity with vulnerabilityhanding standards and best practices.
• Hands-on experience with SCA tools (e.g., Black Duck, Snyk, Trivy), SAST platforms, and SBOM tooling (SPDX, CycloneDX).
• Familiarity with NIST SSDF, Coordinated VulnerabilityDisclosure frameworks, and product security lifecycle models.
• Experience building detection rules, alerting logic, or security automation in scripting languages such as Python or Go.
• Exposure to data lake architectures, security telemetry pipelines, or vulnerabilityanalytics platforms.
• Active participation in the security community through CTFs, research publications, conference presentations, or open-source contributions.
• Relevant certifications such as OSCP, GPEN, GWAPT, CSSLP, or equivalent.

How This Role Relates to the Lead

The Lead VulnerabilityAnalystowns PSIRT program strategy, cross-functional escalation authority, executive reporting, and external disclosure relationships. The SeniorVulnerabilityAnalystprovides the technical execution layer: performing the detailed analysis, writing the initial advisory drafts, building the detection and tracking infrastructure, and ensuring every vulnerabilityhas a complete, auditable record from intake through closure. Together, the two roles form the analytical core of the PSIRT function.

Why Qualys

• Join a PSIRT function that is purpose-built to operate at the intersection of engineering accountability and security excellence.
• Work with a product portfolio that protects critical infrastructure across enterprise and government environments worldwide.
• Shape the vulnerabilitymanagement practices of a company whose core mission is security.
• Collaborate with a leadership team that values operational rigor, transparency, and continuous improvement.