Senior Vulnerability Analyst

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! About the Role Qualys is seeking a Senior Vulnerability Analyst to join the Product Security Incident Response Team (PSIRT) as a hands-on technical practitioner. Reporting to the Lead Vulnerability Analyst , you will execute the day-to-day work of vulnerability discovery, triage, analysis, and remediation tracking across a product portfolio of more than 35 products. Where the Lead owns program-level strategy, cross-functional accountability, and executive communications, this role is responsible for the depth and rigor of the technical analysis that underpins every PSIRT decision. This is an individual contributor role for a mid-career security professional who thrives in the details: reviewing source code to assess exploitability, writing precise advisories, building detection logic, and driving engineering teams toward timely remediation. You will work across the full vulnerability lifecycle, from initial intake through coordinated disclosure, and contribute directly to the tools, automation, and processes that make the PSIRT function scale. Key Responsibilities Vulnerability Analysis & Triage Perform deep technical analysis of reported vulnerabilities, including root-cause investigation, exploitability assessment, CVSS and SSVC scoring, and impact determination across affected products. Triage incoming vulnerability reports from internal scanners, SCA tooling, external researchers, and coordinated disclosure channels, ensuring accurate classification and priority assignment. Analyze source code in C/C, Java, and web application frameworks to validate vulnerability findings and assess the effectiveness of proposed fixes. Support major incident response efforts led by the Lead Vulnerability Analyst , providing technical depth during war-room triage of high-severity and zero-day vulnerabilities. Detection, Monitoring & Threat Hunting Build and maintain alerting rules and detection automation to identify known and emerging vulnerabilities in production products and services. Continuously hunt for CVEs and CWEs affecting Qualys components, third-party dependencies, and container base images; document findings with reproducible analysis. Monitor public vulnerability databases, threat intelligence feeds, and researcher disclosures to proactively identify exposure across the product portfolio. Investigate vulnerability trends and systemic weakness patterns; surface findings to the Lead Vulnerability Analyst to inform program-level priorities. Coordinate with counterparts in Security Operations, including CERT Remediation Tracking & SLA Compliance Track engineering remediation efforts against defined patching SLAs, maintaining accurate status records for every open vulnerability across product teams. Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines, working directly with product engineering owners. Review security exception requests, documenting technical justifications, compensating controls, and residual risk for Lead review and approval. Prepare SLA conformance reports and delinquency summaries for leadership review. Advisory Authoring & Coordinated Disclosure Draft customer-facing Product Security Advisories (PSAs), ensuring technical accuracy, completeness, and consistency with PSIRT editorial standards. Coordinate with security testing teams to validate compensating controls, verify fix effectiveness, and confirm exploitability status prior to advisory publication. Support the Coordinated Vulnerability Disclosure (CVD) process by managing researcher communications, tracking disclosure timelines, and preparing disclosure packages under the direction of the Lead. Toolchain & Process Improvement Develop and enhance PSIRT tooling, including SCA and SAST integration workflows, SBOM analysis pipelines, contain ... (truncated, view full listing at source)