Qualys
LeadVulnerabilityAnalyst
Neural analysis suggests this role is
optimal for Lead candidates.
“Lead Vulnerability Analyst at Qualys. Skills: Vulnerability Assessment, Incident Coordination, Detection, Alerting & Trend Analysis, Policy, Compliance & SLA Enforcement, Advisories & Coordinated Vulnerability Disclosure, Toolchain, Process & Continuous Improvement. own the end-to-end lifecycle of vulnerability identification, triage, coordination, and disclosure across the Qualys product portfolio. Assess and triage vulnerabilities reported through internal discovery, external researchers, and ”
What You'll Achieve.
ensuring that Qualys products maintain the highest security posture for our global customer base; drive accountability, accelerate remediation, and continuously mature the PSIRT function; increase response speed, consistency, customer communications, stakeholder management, and audit-readiness; provide leadership visibility into vulnerability posture and remediation trends
Industry & Context.
navigate complex vulnerability scenarios under pressure; identify recurring vulnerability trends and systemic weaknesses
What They're Looking For.
Must Have
7+ years of experience in vulnerability management, product security, application security, or security engineering, 3+ years of experience leading or operating within a PSIRT, CERT, or comparable incident response function, Demonstrated leadership in major incident handling, escalation management, and cross-functional coordination under time pressure, Deep technical expertise in operating system security (Linux), container security, client-side product security, and web application security, domain knowledge of C/C++, Java, and SaaS platform architectures, with the ability to assess vulnerability impact at the code level, Hands-on experience with CVE/CWE analysis, CVSS scoring, SSVC scoring, Expertise managing, leading, or materially supporting Coordinated Vulnerability Disclosure Programs, written and verbal communications skills, experience authoring customer-facing security advisories and communicating technical risk to executive and non-technical audiences
Nice to Have
Previous experience leading or contributing to offensive security, red teaming, or penetration testing operations, Familiarity with NIST SSDF, Coordinated Vulnerability Disclosure, and product security framewroks, Experience with SCA tools (e. g. , Black Duck, Snyk, Trivy), SAST platforms, and SBOM generation tooling (SPDX, CycloneDX), Hands-on expertise in C/C++, Java, and SaaS platform architectures, Proficiency with data lake architectures, security telemetry pipelines, and vulnerability analytics platforms, Active participation in the broader security community through research publications, conference presentations, or open-source contributions, Relevant certifications such as OSCP, OSCE, GPEN, GXPN, CSSLP, or equivalent
What You'll Do.
own the end-to-end lifecycle of vulnerability identification
and disclosure across the Qualys product portfolio
Assess and triage vulnerabilities reported through internal discovery
and automated tooling
Coordinate software incident handling across Engineering
Lead major incident response for high-severity and zero-day vulnerabilities
managing cross-functional war rooms through resolution
Instrument and operate alerting systems to detect production vulnerabilities in shipped products and services
Hunt for CVEs and CWEs affecting Qualys components
and third-party identify recurring vulnerability trends and systemic weaknesses
Enable and manage escalation workflows
Review and enforce security policies governing test automation
and production incident handling
Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines
Assess engineering requests for security exceptions
documenting risk acceptance decisions and compensating controls
Hold Product and Engineering teams accountable for patching within defined SLAs
tracking remediation velocity and reporting delinquencies to leadership
and publish Product Security Advisories (PSAs)
Run the Coordinated Vulnerability Disclosure (CVD) process end-to-end
Coordinate security testing and validation of compensating controls
and exploitability status prior to advisory publication
Support the development and maturation of a best-in-class PSIRT toolchain
Continuously improve PSIRT runbooks
standard operating procedures
Contribute to the design and operationalization of metrics and dashboards
How You'll Work.
Team & Collaboration
operate at the intersection of security engineering, incident response, and cross-functional program management; work closely with Engineering, Product Management, and Security leadership to drive accountability, accelerate remediation, and continuously mature the PSIRT function; Coordinate software incident handling across Engineering, Product, and Security teams; managing cross-functional war rooms through resolution; managing relationships with external researchers, CERTs, and industry partners
Communication Scope
executive communication skills; written and verbal communications skills; authoring customer-facing security advisories; communicating technical risk to executive and non-technical audiences; transparency
Process & Methodology
cross-functional program management, escalation management, Coordinated Vulnerability Disclosure Programs
Full Job Description
Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! **About the Role** Qualys is seeking a Lead Vulnerability Analyst to serve as a senior technical leader within the Product Security Incident Response Team (PSIRT). This individual will own the end-to-end lifecycle of vulnerability identification, triage, coordination, and disclosure across the Qualys product portfolio. You will operate at the intersection of security engineering, incident response, and cross-functional program management, ensuring that Qualys products maintain the highest security posture for our global customer base. This is a high-visibility role requiring deep technical expertise, collaboration, executive communication skills, and the judgment to navigate complex vulnerability scenarios under pressure. You will work closely with Engineering, Product Management, and Security leadership to drive accountability, accelerate remediation, and continuously mature the PSIRT function. This is a role for a mid-career professional that operates like an owner. **Key Responsibilities** **Vulnerability Assessment & Incident Coordination** * Assess and triage vulnerabilities reported through internal discovery, external researchers, and automated tooling across the Qualys product portfolio of more than 35 products. * Coordinate software incident handling across Engineering, Product, and Security teams in alignment with ISO/IEC 30111 and ISO/IEC 29147 standards. * Lead major incident response for high-severity and zero-day vulnerabilities, managing cross-functional war rooms through resolution. **Detection, Alerting & Trend Analysis** * Instrument and operate alerting systems to detect production vulnerabilities in shipped products and services. * Hunt for CVEs and CWEs affecting Qualys components, dependencies, and third-party integrations; identify recurring vulnerability trends and systemic weaknesses. * Enable and manage escalation workflows,
Applying for this Lead Vulnerability Analyst role?
Most applicants get filtered before a human reads their resume. See if yours makes the cut.
How to Apply on Workday
- Workday has a multi-step form — save your progress after every section.
- "Apply With LinkedIn" can fail or lose data; manual entry is more reliable.
- Watch for the "Submit for Review" final step — hitting "Save" alone does not submit.
- Job requisition numbers are useful when following up with HR by email.
ANONYMOUS · UNFILTERED
What do employees actually say about Qualys?
Real rants from real employees. Read before you apply.