Security Engineer – Attack Surface Management (ASR)

Exegy•St. Louis, MO

About The Position

We are seeking a hands-on Security Engineer – ASR to own and mature our vulnerability management program with a clear mandate to reduce real organizational risk and shrink our attack surface. This role goes beyond scanning and reporting—success is measured by fewer exploitable weaknesses, faster remediation, and sustained risk reduction over time. The ideal candidate is analytical, persistent, and pragmatic, with the ability to translate vulnerability data into clear, risk-based prioritized actions that engineering and /or IT teams can execute.

Requirements

3+ years of hands-on experience in security engineering, vulnerability management, or a closely related discipline
Strong working knowledge of common vulnerability classes, exploitation techniques, and attacker methodologies
Solid foundation in operating systems, networking concepts, and cloud fundamentals
Experience using vulnerability scanning, detection, and security monitoring tools to identify and assess risk
Demonstrated ability to prioritize remediation efforts based on business and technical risk rather than raw finding volume
Familiarity with how vulnerabilities map real-world attack techniques and threat models
Working knowledge of widely adopted security frameworks and control sets (e.g., MITRE ATT&CK, NIST CSF, ISO 27001, CIS Controls)
Ability to contextualize vulnerability findings within broader security, operational, and compliance considerations
Capable of clearly documenting vulnerability findings, risk rationale, and remediation guidance
Effective in working with engineering, infrastructure, and IT teams to drive timely remediation
Comfortable translating technical findings into actionable work items and recommendations

Nice To Haves

Experience operating in lean or resource-constrained environments where prioritization and pragmatism are critical
Exposure to integrating vulnerability findings into ticketing, backlog management, or ITSM workflows
Relevant security certifications (e.g., Security+, CEH, CISSP) or equivalent practical experience are beneficial but are not required

Responsibilities

Own the end-to-end vulnerability lifecycle: discovery, prioritization, remediation tracking, and validation
Maintain accurate asset and exposure visibility across endpoints, servers, cloud workloads, SaaS, and internet-facing systems
Perform regular vulnerability scanning and ad-hoc assessments
Prioritize remediation based on real-world risk, considering: Exploitability and threat intelligence Asset criticality and business impact Exposure (internet-facing, privileged systems, sensitive data)
Reduce vulnerability noise by deduplicating findings and focusing teams on what matters most
Track remediation progress and validate fixes
Identify and eliminate: Unmanaged or unknown assets Legacy systems with chronic vulnerabilities Misconfigurations that expand attack surface
Partner with IT and Engineering to: Improve patching cadence Enforce secure configuration baselines Reduce recurring vulnerability patterns
Recommend compensating controls where remediation is not immediately feasible
Conduct targeted threat analysis and light threat hunting to identify exploitation attempts and abnormal authentication or privilege activity
Feed threat intelligence and observed attacker behavior back into vulnerability prioritization
Improve detection, hardening, and prevention based on findings
Work closely with IT, Engineering, and Infrastructure teams to drive remediation outcomes
Translate technical vulnerabilities into clear, actionable risk statements
Provide leadership with concise, outcome-focused metrics and trend reporting
Contribute to security standards, procedures, and operational improvements