Lead Vulnerability Analyst

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! About the Role Qualys is seeking a Lead Vulnerability Analyst to serve as a senior technical leader within the Product Security Incident Response Team (PSIRT). This individual will own the end-to-end lifecycle of vulnerability identification, triage, coordination, and disclosure across the Qualys product portfolio. You will operate at the intersection of security engineering, incident response, and cross-functional program management, ensuring that Qualys products maintain the highest security posture for our global customer base. This is a high-visibility role requiring deep technical expertise, collaboration, executive communication skills, and the judgment to navigate complex vulnerability scenarios under pressure. You will work closely with Engineering, Product Management, and Security leadership to drive accountability, accelerate remediation, and continuously mature the PSIRT function. This is a role for a mid-career professional that operates like an owner. Key Responsibilities Vulnerability Assessment & Incident Coordination Assess and triage vulnerabilities reported through internal discovery, external researchers, and automated tooling across the Qualys product portfolio of more than 35 products. Coordinate software incident handling across Engineering, Product, and Security teams in alignment with ISO/IEC 30111 and ISO/IEC 29147 standards. Lead major incident response for high-severity and zero-day vulnerabilities, managing cross-functional war rooms through resolution. Detection, Alerting & Trend Analysis Instrument and operate alerting systems to detect production vulnerabilities in shipped products and services. Hunt for CVEs and CWEs affecting Qualys components, dependencies, and third-party integrations; identify recurring vulnerability trends and systemic weaknesses. Enable and manage escalation workflows, ensuring critical findings reach decision-makers with appropriate context and urgency. Policy, Compliance & SLA Enforcement Review and enforce security policies governing test automation, build configurations, and production incident handling. Coordinate the determination of Affected Status for vulnerabilities and their corresponding fix timelines Assess engineering requests for security exceptions, documenting risk acceptance decisions and compensating controls. Hold Product and Engineering teams accountable for patching within defined SLAs, tracking remediation velocity and reporting delinquencies to leadership. Advisories & Coordinated Vulnerability Disclosure Author, review, and publish Product Security Advisories (PSAs) in compliance with CSAF VEX format requirements. Run the Coordinated Vulnerability Disclosure (CVD) process end-to-end, managing relationships with external researchers, CERTs, and industry partners. Coordinate security testing and validation of compensating controls, fixes, and exploitability status prior to advisory publication. Toolchain, Process & Continuous Improvement Support the development and maturation of a best-in-class PSIRT toolchain, including SBOM analysis, SCA, SAST integration, container security, and vulnerability data lake infrastructure. Continuously improve PSIRT runbooks, standard operating procedures, and playbooks to increase response speed, consistency, customer communications, stakeholder management, and audit-readiness. Contribute to the design and operationalization of metrics and dashboards that provide leadership visibility into vulnerability posture and remediation trends. Required Qualifications 7 years of experience in vulnerability management, product security, application security, or security engineering. 3 years of experience leading or operating within a PSIRT, CERT, or comparable incident response function. Demonstrated leadership in major incident handling, escalation management, and ... (truncated, view full listing at source)