Manager, Cybersecurity Strategy and Risk

About The Position

Requirements

• Proven offensive security operator who builds teams, not just finds bugs. You have led or built red team programs, not just executed engagements. You know how to hire offensive engineers, define scope, manage rules of engagement, and translate findings into engineering action.
• Agentic AI as an offensive weapon, not a buzzword. Hands-on experience with AI-powered offensive tooling, agentic pen testing platforms, or autonomous exploit generation. You know the difference between a scanner with an AI label and a system that reasons about attack paths.
• Source code analysis depth beyond scanning. You find vulnerabilities through semantic analysis, not pattern matching. You read code, reason about exploitability, and build proof-of-concept exploits across multiple languages.
• You understand the vulnerability classes that matter for identity platforms: authentication flow weaknesses, authorization logic flaws, entitlement calculation errors, and tenant isolation failures.
• AI/LLM attack surface expertise. You have tested adversarial attacks against AI systems, prompt injection, goal redirection, RAG poisoning, model supply chain compromise, or agentic scope escape. You know OWASP Top 10 for LLM Applications, MITRE ATLAS, and NIST AI RMF as applied to offensive testing.
• Chain analysis and multi-step exploitation thinking. You think in attack paths, not individual findings. When you find a medium-severity issue, your instinct is to ask what it enables when combined, not to file it and move on.
• Communication that drives engineering action. You write exploitation narratives that a VP of Engineering reads and acts on. You present to executives without losing technical credibility. A finding without a remediation path and a business impact statement is a finding that gets deprioritized, and you know that.
• Identity and access management domain knowledge. OAuth/OIDC/SAML weaknesses, entitlement edge cases, tenant isolation boundaries, privilege escalation through identity chaining. Prior experience testing identity platforms or IAM products is strongly preferred.
• 5+ years of offensive security experience with at least 2 years in a team lead or management role
• Demonstrated experience with agentic or AI-powered offensive security tooling in a production program
• Hands-on proficiency in at least two of: application pen testing, source code security review, cloud security assessment, AI/LLM adversarial testing
• Experience operating in or building a red team program at a SaaS or platform company
• Strong written communication, you will produce exploitation chain documentation that drives executive decisions
• Bachelor's degree in a relevant field or equivalent experience

Responsibilities

• Assess and Design: Complete a comprehensive review of the identity platform architecture, existing security practices, and current attack surface. Outline the optimal Red Team structure and identify critical hires based on the program's mandate for agentic AI and continuous testing. Deliver an initial strategic vision and program roadmap, clearly distinguishing this program from traditional penetration testing.
• Build & Prepare: Open recruiting pipelines and begin actively sourcing, screening, and extending offers for initial Red Team members. Draft rules of engagement in collaboration with Product Security and Engineering leadership. Complete a preliminary attack surface map of the core identity platform, prioritizing AI product features and agentic orchestration layers. Formalize the CISO Red Team partnership with a quarterly cadence for method transfer, tooling configurations, and attack playbooks.
• Initialize & Execute: Formally define initial scope and target areas, prioritizing identity platform core and AI features. Select, deploy, and configure at least one agentic offensive security platform for autonomous source code analysis or vulnerability chaining. Plan and execute the first short-cycle adversarial campaign, establishing initial operational processes. Stand up preliminary threat intelligence integration for identity platforms, SaaS infrastructure, and AI/ML attack techniques.
• Scale & Formalize: At least 50% of target headcount onboarded and actively contributing to adversarial campaigns with demonstrated proficiency in agentic AI tooling. Minimum three distinct continuous adversarial campaigns executed, including dedicated AI product feature testing, producing actionable findings. Minimum two detailed exploitation narratives resulting in concrete secure design improvements or SSDLC changes by engineering teams. CISO Red Team proving ground fully established, including at least one joint adversarial exercise completed.
• Full Maturity & Impact: Full team operational capacity with agentic AI as a core capability, not a supplement. Overnight autonomous campaigns running continuously, delivering prioritized findings daily at 3–5x coverage of team size. Measurable reduction in high-severity vulnerabilities driven by Red Team findings feeding secure design improvements, threat model updates, and SSDLC enhancements. Attack methodology continuously reflecting current real-world TTPs, APT campaigns targeting identity providers, supply chain compromise vectors, and emerging AI-specific attack techniques.

Benefits

• Health and wellness coverage: Medical, dental, and vision insurance
• Disability coverage: Short-term and long-term disability
• Life protection: Life insurance and Accidental Death & Dismemberment (AD&D)
• Additional life coverage options: Supplemental life insurance for employees, spouses, and children
• Flexible spending accounts for health care, and dependent care; limited purpose flexible spending account
• Financial security: 401(k) Savings and Investment Plan with company matching
• Time off benefits: Flexible vacation policy
• Holidays: 8 paid holidays annually
• Sick leave
• Parental support: Paid parental leave
• Employee Assistance Program (EAP) and Care Counselors
• Voluntary benefits: Legal Assistance, Critical Illness, Accident, Hospital Indemnity and Pet Insurance options
• Health Savings Account (HSA) with employer contribution
• SailPoint Corporate Bonus Plan or a role-specific commission
• Potential eligibility for equity participation