Staff Engineer – Vulnerability Management Automation (Platform and Tools - VMs)

About The Position

Requirements

• Strong software engineering background building production services and tooling (Python or Go preferred; TypeScript a plus).
• Deep knowledge of Linux and Windows Server administration and patching in enterprise environments.
• Hands‑on experience with vulnerability scanners and their APIs (Tenable/Nessus, Qualys, Rapid7) and risk models (CVSS, KEV, EPSS).
• Proficiency with configuration management and IaC (Ansible/Puppet/Chef/Salt; Terraform/Pulumi/Crossplane, Helm/Kustomize).
• Experience with event‑driven and batch data pipelines (e.g., Kafka/SNS/SQS/PubSub), relational data stores, and caching.
• Familiarity with cloud (AWS/Azure/GCP), containers/Kubernetes, and image pipelines (e.g., Packer).
• Solid understanding of authN/authZ, secrets management, and least‑privilege access for platforms and automation.
• Excellence in observability and reliability practices (OpenTelemetry/Prometheus/Grafana) with an SLO mindset.
• Strong documentation, communication, and stakeholder management skills.
• 8+ years of professional software or platform engineering experience, including building and operating automation at scale.
• 6+ years administering or engineering for Windows and/or Linux in enterprise environments.
• 4+ years integrating vulnerability scanners and/or building remediation workflows and platforms.
• 3+ years implementing configuration management or hardening frameworks (CIS, STIG) via policy/code.
• Demonstrated leadership driving cross‑team adoption and measurable risk reduction.
• 4+ years of hands-on experience with Azure, OpenStack, AWS, GCP, or other cloud services.
• 2+ years working with open-source frameworks.

Responsibilities

• Define the technical roadmap for vulnerability management and patch automation platforms.
• Establish standards, patterns, and paved roads for scanning, triage, remediation, and verification.
• Mentor engineers across Security and Platform teams on software and systems design best practices.
• Drive design reviews, architecture decisions, and quality gates for reliability and security.
• Design and implement services for asset/CMDB enrichment, risk scoring, and intelligent targeting (by business criticality, exposure, blast radius).
• Build controllers/schedulers for maintenance windows, deployment rings/canaries, pre/post checks, automated backoff/rollback, and progressive delivery.
• Deliver self‑service CLIs/SDKs and internal UIs to request, schedule, and track remediation with clear SLAs and audit trails.
• Implement idempotent, policy‑driven workflows for patching and baseline enforcement across Windows and Linux.
• Integrate with image pipelines (e.g., Packer/golden images) to shift‑left patching and hardening.
• Integrate scanner data (e.g., Tenable/Nessus, Qualys, Rapid7) and external intel (CVSS v3.x, KEV, EPSS) into unified pipelines with deduplication, suppression/exception workflows, and verification.
• Build prioritization engines that combine exploitability, exposure, and business context to drive action.
• Operate and automate patch tooling and package managers (e.g., WSUS/MECM/SCCM, Ansible/Puppet/Chef/Salt, dnf/yum/apt, Winget/MSU) with safety guardrails.
• Enforce CIS Level 1 hardening via policy and code with drift detection and evidence capture.
• Integrate with CMDB and ITSM/ticketing (e.g., Remedy, ServiceNow) for change control, approvals, and auditability.
• Provide APIs/webhooks and event streams for downstream consumers (e.g., SIEM, data lake, dashboards).
• Publish reusable modules, reference implementations, and runbooks to scale adoption.
• Define the technical roadmap for vulnerability management and patch automation capabilities.
• Evaluate and recommend new tools, data sources, and methodologies (e.g., exploit intel, risk models).
• Drive adoption of best practices for scanning, prioritization, and safe remediation across engineering teams.
• Identify opportunities to reduce operational overhead through standardization, policy, and automation.
• Stay current with industry trends and emerging technologies in vulnerability and patch engineering.
• Work closely with Platform/SRE, Security, and application engineering teams to plan and execute safe changes.
• Collaborate with product managers and stakeholders to understand risk, requirements, and timelines.
• Communicate complex technical concepts and trade‑offs to both technical and non‑technical audiences.
• Document architecture decisions, patterns, and best practices; present proposals and updates to leadership.
• Define and track SLOs for patch compliance, time‑to‑remediate by severity, change success rate, and re‑open rate.
• Implement observability (metrics/logs/traces), health checks, and alerting across the platform.
• Ensure resilience through canaries, rate limiting, circuit breakers, retries with backoff, and safe rollbacks.
• Establish disaster recovery strategies and conduct game days/chaos testing for critical workflows.
• Maintain compliance with security and regulatory requirements; ensure usability, reliability, security, and performance.
• Troubleshoot and resolve complex issues; fulfill on‑call responsibilities appropriate to the platform.

Benefits

• We offer compensation and benefits built to enhance your physical well-being, mental and emotional health and financial future.
• Comprehensive Total Rewards program that offers personalized coverage tailor-made for you and your family’s overall well-being.
• Financial benefits including market-competitive compensation; a 401K savings plan vested from day one that offers a 6% match; performance and recognition-based incentives; and tuition assistance.
• Access to additional benefits like mental healthcare as well as fertility and adoption assistance.
• Supports flexibility- We provide workplace flexibility as well as our GEICO Flex program, which offers the ability to work from anywhere in the US for up to four weeks per year.