Principal Vulnerability Management Analyst- Eng

About The Position

Requirements

• 7+ years of hands-on experience in vulnerability research, application security, or penetration testing — with a track record of finding real vulnerabilities in production software
• Demonstrated ability to read and audit source code in at least two of: Java, C#/.NET, Python, JavaScript/TypeScript, Go, C/C++
• Experience developing working proof-of-concept exploits — not just scanning, but understanding root causes and proving exploitability
• Strong proficiency in Python for building security tools, automation pipelines, and integrations
• Experience with AI/ML tools for security — using LLMs for code analysis, building AI-assisted security tooling, or developing autonomous security agents
• Deep understanding of common vulnerability classes: injection (SQL, command, LDAP), broken authentication, cryptographic failures, SSRF, deserialization, path traversal, access control, and their variants
• Experience with vulnerability management programs — triaging, tracking, and driving remediation of vulnerabilities across engineering organizations
• Ability to work directly with development teams — explaining vulnerabilities, reviewing proposed fixes, and validating remediations
• Excellent written communication — ability to produce clear vulnerability reports, technical documentation, and executive summaries
• Bachelor's degree in Computer Science, Cybersecurity, or equivalent experience

Nice To Haves

• Published CVEs, security advisories, or bug bounty findings in production software
• Experience in SaaS/multi-tenant environments processing sensitive data (HCM, payroll, healthcare, financial)
• Familiarity with SAST/DAST/SCA tooling and how to reduce false positive rates through source-level validation
• Experience with cloud security assessment (AWS, GCP, Azure) including container and Kubernetes vulnerability analysis
• Familiarity with FedRAMP, NIST SP 800-53, or federal compliance frameworks — enough to understand vulnerability remediation timelines and reporting requirements in regulated environments
• Security certifications that demonstrate hands-on skill: OSCP, OSWE, GWAPT, GXPN, BSCP, or equivalent
• Conference presentations, published research, or open-source security tool contributions
• Experience with reverse engineering, binary analysis, or firmware security

Responsibilities

• Conduct deep-dive source code audits of UKG products (Java, .NET, Python, JavaScript) to discover novel vulnerabilities — examples could be hardcoded secrets, authentication bypasses, injection flaws, cryptographic weaknesses, access control gaps, unsafe deserialization, etc.
• Develop working proof-of-concept exploits that demonstrate real impact — not theoretical risk, but provable exploitation with clear data exposure or access escalation
• Perform variant analysis: when you find a bug, systematically search the entire codebase for every instance of the same root cause pattern
• Triage and validate findings from automated scanners (SAST, DAST, SCA) — separate real vulnerabilities from false positives using source-level analysis
• Investigate and reproduce externally reported vulnerabilities (bug bounty, CVEs, vendor advisories) to assess actual exploitability in UKG's environment
• Collaborate with engineering teams on remediation — not just filing tickets, but working with developers to design, validate fixes, and drive to remediation.
• Build AI-assisted vulnerability discovery tools using automation (Claude, MCP servers, custom models, etc) for automated source code analysis, vulnerability pattern matching, and exploit generation
• Develop autonomous security scanning agents that can analyze codebases, identify vulnerability patterns, and produce validated findings with minimal human intervention
• Create AI-powered remediation tools — automation that generates fix recommendations, patches, and pull requests for discovered vulnerabilities, accelerating the path from finding to fix
• Build automated vulnerability lifecycle pipelines: intake from scanners, AI-assisted triage and deduplication, intelligent ticket routing, SLA tracking, and remediation verification
• Contribute to the team's shared automation repositories and Claude Code skills store — every tool you build should be reusable by the rest of the team
• Own vulnerability remediation outcomes for assigned product areas — track findings from discovery through verified fix, holding engineering teams accountable to SLAs
• Produce clear, actionable vulnerability reports that engineering teams can act on immediately — root cause, impact, reproduction steps, and recommended fix
• Drive mean time to remediate (MTTR) down through better automation, better reports, and direct collaboration with development teams
• Support vulnerability management program metrics and dashboards — contribute to reporting that gives leadership real-time visibility into risk posture
• Support compliance-driven vulnerability management requirements, including FedRAMP continuous monitoring and POA&M processes, as UKG expands into federal markets
• Publish internal/external research on novel vulnerability classes, AI-assisted discovery techniques, and lessons learned from audits
• Stay current on emerging vulnerability classes, exploitation techniques, and defensive patterns relevant to UKG's technology stack
• Mentor other team members on vulnerability research methodology, source code analysis, and AI-augmented security tooling

Benefits

• UKG offers a comprehensive total rewards package including competitive base salary, annual bonus, equity, full medical/dental/vision, 401(k) match, unlimited PTO, and professional development budget.