Senior Product Manager, Attack Surface Management

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! Senior Product Manager, Attack Surface Management About Qualys Qualys, Inc. (NASDAQ: QLYS) is a cloud security and compliance company with 10,000+ subscription customers worldwide, including many Forbes Global 100 and Fortune 100 organizations. Qualys helps teams consolidate security and compliance workflows on one platform to improve outcomes, increase agility, and reduce cost. Role overview This role owns Attack Surface Management as a core pillar of the Qualys TruRisk Platform, built on top of the Unified Inventory layer that powers ETM. You will drive how Qualys discovers, attributes, correlates, and governs the external attack surface (EASM) & Internal Attack Surface and connects it to the broader enterprise inventory used by ETM across different asset types such as hosts, containers, cloud resources, SaaS services, and identities. The goal is a single trusted inventory that enables ETM outcomes end-to-end: • build a complete and continuously updated perimeter (internal & external) • link exposures to vulnerabilities, misconfigurations, compliance and identity risk • provide business context for prioritization, reporting, and TruRisk outcomes • uncover and operationalize Shadow IT and unmanaged internet-facing assets This is a platform-minded PM role combining CAASM-style inventory and EASM-style external discovery: multi-source ingestion, attribution and identity resolution, deduplication and reconciliation, governance workflows, and risk-ready insights. What you will own You will lead one or more areas depending on strengths and roadmap priorities. Unified Inventory for ETM (core platform) • Multi-source ingestion: APIs, webhooks, bulk imports, partner integrations (ServiceNow, Jira, CMDB, CSPM, IdP) • Identity resolution and reconciliation: correlation, dedupe, entity resolution across sources • Normalization and tokenization: standard attributes, tags, metadata enrichment, schema strategy across asset types • Staging and governance workflows: validation, conflict handling, approvals, audit and change history, lifecycle state • Inventory health and coverage: completeness, freshness, confidence scoring, ownership mapping, Shadow IT discovery Attack Surface Management (EASM) built on Unified Inventory • External discovery: domains, subdomains, DNS, certificates, IPs, cloud services, internet-facing services • Attribution and ownership mapping: link discovered assets to orgs, subsidiaries, brands, apps, teams, environments • Continuous monitoring: change detection, new exposure alerts, drift tracking, asset lifecycle for external perimeter • External enrichment: tech stack, ASN/provider, geo, certificate relationships, exposure context • Third party and shared infrastructure handling: CDNs, shared hosting, vendors, ambiguous ownership workflows Essential duties and responsibilities • Convert customer and field use cases into product strategy, roadmap themes, epics, user stories, and acceptance criteria • Partner with engineering and architecture on solution design (data model, pipelines, correlation and attribution logic, APIs) and drive delivery from concept through release • Own backlog quality: prioritization, grooming, breaking epics into shippable increments, defining validation and Definition of Done criteria • Drive execution cadence with engineering leadership: sprint readiness, dependencies, tradeoffs, and release planning • Ensure features support real enterprise workflows across SecOps, IT Ops, cloud teams, and GRC, including how teams operationalize EASM findings into ETM outcomes • Define personas and workflows; collaborate with UX on scalable experiences (wireframes, annotations, interaction specifications) • Define and track success metrics: onboarding time, coverage percentage, attribution confidence, dedupe accuracy, reconciliation confidence, alert quality, adoption, and ETM impact • Suppo ... (truncated, view full listing at source)