Threat Exposure Management Analyst

About The Position

Requirements

• 8+ years of experience in vulnerability management, attack surface management, exposure management, offensive security, or closely related disciplines.
• Demonstrated experience leading security programs or initiatives with governance, metrics, and cross-functional stakeholder engagement.
• Strong ability to assess attack paths, exploitability, and business impact beyond CVSS scoring and ticket-based vulnerability tracking.
• Practical experience incorporating threat intelligence and exploit data, including EPSS, CISA KEV, and exploitation-in-the-wild reporting, into prioritization decisions.
• Solid understanding of vulnerabilities and exposures across operating systems, networks, cloud environments, identity platforms, and applications, and how they combine into attack paths.
• Proven ability to drive remediation and influence cross-functional teams without direct authority while balancing security priorities and operational realities.
• Familiarity with the Gartner CTEM model, MITRE ATT&CK, and vulnerability scoring and prioritization standards such as CVSS, EPSS, and CISA KEV.
• Strong written and verbal communication skills with the ability to translate technical exposure into business risk for engineering, governance, and executive audiences.
• You must currently possess valid and unrestricted U.S. work authorization to be considered for this role. Individuals with temporary visas including, but not limited to, F-1 (OPT, CPT, STEM), H-1B, H-2, or TN, or any candidate requiring sponsorship, now or in the future, will not be considered.

Nice To Haves

• Experience working within an enterprise Attack Surface Management function.
• Familiarity with breach-and-attack simulation platforms and offensive security validation techniques.
• Experience managing exception and risk-acceptance processes with formal governance and time-bound review cycles.
• Knowledge of exposure reporting practices for executive, governance, and board-adjacent audiences.
• Experience coordinating remediation campaigns for systemic exposures across large, complex technology environments.

Responsibilities

• Analyze how individual exposures chain into viable attack paths toward critical assets, shifting prioritization from isolated findings to path-based risk.
• Build and operate a threat-informed prioritization model that incorporates exploit availability, active campaigns, and exploitation-in-the-wild indicators to rank exposures by real-world risk.
• Map exposures to crown-jewel assets and critical business services so remediation priorities reflect business impact, not just technical severity; define and report metrics that demonstrate exposure reduction over time, including mean time to remediate by risk tier, attack-path closure, and reduction in exploitable exposure.
• Validate whether prioritized exposures are exploitable and reachable using attack-path analysis, breach-and-attack simulation, and offensive security and penetration testing findings.
• Assess whether existing compensating controls meaningfully reduce likelihood of impact before remediation is mandated; translate red-team, purple-team, and penetration-testing findings into validated exposure priorities.
• Maintain visibility across external, cloud, SaaS, and identity attack surfaces, coordinating with peer teams that own the underlying platforms.
• Drive remediation across infrastructure and security partner teams, including Endpoint, Network, Cloud, and IAM, by establishing ownership, SLAs, and escalation paths for risk that crosses organizational boundaries.
• Produce technical and executive reporting on exposure trends and risk reduction, framed in business-risk terms for governance and senior leadership audiences.

Benefits

• Annual incentive opportunity which may be delivered as a mix of cash bonus and equity awards