Associate Security Consultant - Vulnerability Management

About The Position

Requirements

• Experience with Vulnerability Management tools such as Tenable, Rapid7, Qualys, and Tanium to support day-to-day VMaaS delivery activities including scanning, asset management, and reporting. - Foundational to Intermediate
• Familiarity with offensive security methodologies and frameworks such as PTES, OWASP (WSTG/MASVS/ASVS), MITRE ATT&CK, and threat modeling to support risk-based testing. - Foundational to Intermediate
• Ability to develop exploit proofs-of-concept, reproduce vulnerabilities reliably, and support fix validation; familiarity with exploit development fundamentals is a plus. — Foundational
• Reporting and communication skills, including writing technical reports with reproducible steps, risk ratings, and actionable remediation, and contributing to executive summaries with guidance; able to present findings to both technical and non-technical stakeholders. - Intermediate
• Familiarity with vulnerability management workflows, responsible disclosure practices, and integration of pen test results into remediation programs and retesting cycles. - Foundational to Intermediate
• Proficiency with productivity and documentation tools such as Word, Excel, PowerPoint, and Outlook to produce test plans, findings reports, and final deliverables. - Intermediate
• Completed Bachelor’s Degree in a related field or relevant work experience required.
• 1–3 years of hands-on penetration testing or vulnerability management experience, including exposure to engagements supporting mid-to-large enterprise environments.
• Ability to travel to SHI, Partner, and client events, and on-site testing engagements as needed.
• Demonstrated understanding of legal/ethical considerations, testing authorization, and safe handling of client data.

Nice To Haves

• Experience supporting penetration tests across networks, web and mobile applications, APIs, wireless, and cloud environments, including participation in scoping, rules of engagement, and debriefs. - Foundational to Intermediate
• Familiarity with assessing cloud services (AWS, Azure, GCP) including IAM misconfigurations, storage, serverless, container/orchestration, and cloud networking, with an ability to communicate cloud-specific remediation guidance. - Foundational
• Web application testing skills including auth flows, access control, injection, deserialization, SSRF, XXE, business logic abuse, and modern app architectures (SPAs, microservices, GraphQL, WebSockets). - Foundational to Intermediate
• Familiarity with social engineering and phishing engagements, including payload development, infrastructure setup, pretexting, and measurement aligned to customer policies and legal constraints. - Foundational
• Foundational scripting and automation skills to support testing and proof-of-concept development using Python, PowerShell, Bash, and basic Go or JavaScript as needed. - Foundational to Intermediate
• Working knowledge of Active Directory and Azure AD attack paths (Kerberoasting, constrained/unconstrained delegation, ACL abuses, LAPS/MAPS, certificate services) and exposure to simulating enterprise attack chains. - Foundational
• Hands-on experience with common offensive tooling and techniques, including reconnaissance, enumeration, exploitation, post-exploitation, lateral movement, and data exfiltration, along with foundational operational security practices. - Foundational to Intermediate
• Familiarity with red/purple team exercises and working alongside blue teams to translate findings into detection and hardening recommendations (e.g., SIEM detections, EDR tuning, hardening baselines). - Foundational
• Industry certifications preferred (e.g., CPTS, OSCP, PNPT, Security+, CySA+, or vendor-specific VM certifications.)

Responsibilities

• Conduct day-to-day VMaaS activities, including vulnerability scanning, asset discovery, scan policy configuration, and reporting.
• Independently conduct Attack Surface Control (ASC) engagements for a variety of clients, including the use of automated tools and manual micro-penetration testing.
• With guidance from more senior consultants, monitor automated penetration testing tooling to identify and validate security weaknesses.
• Perform validation of vulnerability findings to eliminate false positives and determine actual risk.
• Collaborate with the penetration testing team to conduct further deep-dive testing as needed based on vulnerability discoveries.
• Consult and document attack surface, threats, and vulnerability improvements based on the team’s overall assessment of the client’s environment.
• Perform assessment and threat modeling against industry best practices to identify control weaknesses and assess the effectiveness of existing controls.
• Perform root cause analysis on identified vulnerabilities and attack surface weaknesses to determine technical solutions to be presented to client along with recommendations for remediations.
• With guidance from more senior security consultants, collaborate with the client’s security teams to understand mitigation or resolutions for findings discovered by analysts.
• Review Stratascale Cyber Threat Intelligence (CTI)-provided threat intelligence for specific threat vectors that align with the client's industry or potentially impact the client by using attack path modeling.
• Assist in defining, measuring, and quantifying business risk and vulnerability impacts to clients and their stakeholders.
• With guidance from more senior security consultants, provide technical support on remediation, cloud security, governance, compliance, and core infrastructure systems.
• With guidance from more senior security consultants, assist customers with strategies, use of platforms, technical and compliance analysis, and implementing automation.
• Execute consulting projects by creating and completing deliverables, ensuring client needs and practice obligations are met.
• Participate in customer and internal meetings as required, providing technical guidance and facilitating discussions.
• Stay educated on new product technologies, industry trends, and emerging capabilities within the practice.

Benefits

• medical
• vision
• dental
• 401K
• flexible spending