Vulnerability Analyst II

Koniag Government Services, LLCWashington, DC
$110,000 - $136,888Onsite

About The Position

Koniag Data Solutions, LLC, a Koniag Government Services company, is seeking a Vulnerability Analyst II to support KDS and our government customer in Washington, DC. This position requires the candidate to be able to obtain a Public Trust. We offer competitive compensation and an extraordinary benefits package including health, dental and vision insurance, 401K with company matching, flexible spending accounts, paid holidays, three weeks paid time off, and more. Koniag Data Solutions, a Koniag Government Services company, is seeking a skilled and experienced Vulnerability Analyst II to support the U.S. Small Business Administration (SBA). The ideal candidate is a mid-level cybersecurity professional with solid experience in vulnerability management, security assessment, and risk analysis within federal government IT environments. This individual will play a key role in identifying, analyzing, and tracking vulnerabilities across SBA's enterprise IT environment, working closely with system owners, IT operations teams, and the broader cybersecurity program to ensure timely and effective remediation of security weaknesses and maintenance of a strong security posture. The Vulnerability Analyst II will serve as a mid-level vulnerability management professional responsible for conducting vulnerability assessments, analyzing scan results, tracking remediation activities, and supporting the continuous improvement of SBA's vulnerability management program.

Requirements

  • Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field from an accredited college or university.
  • 3+ years of progressive experience in vulnerability management, security assessment, or a closely related cybersecurity field, with demonstrated hands-on experience conducting vulnerability assessments and supporting vulnerability management programs within a federal government or large enterprise IT environment.
  • Demonstrated experience using enterprise vulnerability scanning platforms such as Tenable Nessus, Tenable.io, Qualys, or equivalent tools to conduct vulnerability assessments across diverse IT environments.
  • One or more of the following certifications: CompTIA Security+, CompTIA CySA+, GIAC Security Essentials (GSEC), Tenable Certified Security Engineer (TCSE) or Tenable.io Certification, Certified Information Systems Security Professional (CISSP), GIAC Certified Enterprise Defender (GCED).
  • Strong communication skills in English – both written and oral – with the ability to clearly communicate vulnerability findings, risk assessments, remediation recommendations, and program status to diverse audiences, including technical staff, system owners, program managers, and senior SBA leadership.
  • Solid hands-on experience planning, configuring, and executing vulnerability scans across diverse IT environments using enterprise vulnerability scanning platforms, with demonstrated ability to interpret scan results accurately and assess real-world vulnerability risk.
  • Strong understanding of common vulnerability scoring systems, including CVSS v3.x, and the ability to apply CVSS scores in conjunction with threat context, asset criticality, and exploit availability to develop risk-informed vulnerability prioritization recommendations.
  • Knowledge of common vulnerability types affecting enterprise IT environments, including operating system vulnerabilities, application vulnerabilities, web application vulnerabilities, network device vulnerabilities, database vulnerabilities, and cloud service misconfigurations.
  • Experience conducting configuration compliance assessments using CIS Benchmarks, DISA STIGs, and other security configuration baselines, with the ability to identify configuration weaknesses and develop practical remediation recommendations.
  • Familiarity with federal vulnerability management frameworks, guidelines, and compliance requirements, including NIST SP 800-40, NIST SP 800-53, FISMA, and applicable CISA BODs and EDs governing vulnerability management and patch management activities.
  • Experience developing vulnerability management reports, dashboards, and metrics that effectively communicate vulnerability posture, remediation progress, and risk trends to diverse stakeholder audiences.
  • Ability to coordinate effectively with system owners, IT operations teams, and application teams to communicate vulnerability findings, provide remediation guidance, track remediation progress, and validate remediation effectiveness.
  • Familiarity with POA&M management concepts and experience supporting the integration of vulnerability management findings into POA&M tracking and reporting processes within a federal government environment.
  • Knowledge of patch management concepts and processes, including an understanding of common patching tools and methodologies used in enterprise IT environments to remediate identified vulnerabilities.
  • Basic familiarity with threat intelligence concepts and the ability to incorporate vulnerability-relevant threat intelligence, including the CISA KEV catalog and NVD data, into vulnerability prioritization and remediation planning activities.
  • Strong organizational skills and attention to detail, with the ability to manage multiple concurrent vulnerability assessment and remediation tracking activities accurately and efficiently in a fast-paced federal environment.
  • Ability to obtain and maintain a Public Trust Clearance.

Nice To Haves

  • 5+ years of vulnerability management experience, with a strong background supporting federal civilian agency vulnerability management programs.
  • Prior experience supporting SBA or other federal civilian agency vulnerability management programs.
  • Certified Ethical Hacker (CEH) or equivalent offensive security certification demonstrating foundational penetration testing knowledge.
  • Prior experience supporting SBA or other federal civilian agency vulnerability management programs, with demonstrated knowledge of agency-specific vulnerability management processes, tools, and reporting requirements.
  • Experience conducting vulnerability assessments and configuration compliance assessments for cloud-hosted assets and services in AWS, Azure, or GCP environments, including familiarity with cloud-native security assessment tools and cloud-specific vulnerability types and misconfigurations.
  • Familiarity with web application vulnerability assessment concepts and tools, including OWASP Top 10 vulnerability categories and basic web application scanning tools such as Burp Suite, OWASP ZAP, or equivalent.
  • Experience with vulnerability management automation, including proficiency in scripting languages such as Python or PowerShell for automating scan scheduling, result parsing, reporting, and remediation tracking workflows.
  • Knowledge of the CDM (Continuous Diagnostics and Mitigation) program tools and data requirements, and the integration of CDM vulnerability management capabilities into agency vulnerability management programs.
  • Experience with asset management and asset discovery tools and their integration with vulnerability management platforms to ensure comprehensive scanning coverage across complex enterprise IT environments.
  • Familiarity with container and Kubernetes security assessment concepts, including common container vulnerabilities and misconfigurations and tools used to assess container image and runtime security.
  • Experience supporting FedRAMP authorized cloud environments and familiarity with FedRAMP vulnerability scanning requirements and continuous monitoring obligations as they apply to cloud-hosted systems and services.
  • Knowledge of supply chain risk management (SCRM) concepts and their relationship to vulnerability management, including awareness of software bill of materials (SBOM) concepts and their application in identifying and managing software supply chain vulnerabilities.
  • Familiarity with threat modeling methodologies and their application in informing vulnerability prioritization and risk assessment activities within a federal agency vulnerability management program.
  • Experience developing and delivering vulnerability management training materials and briefings to system owners, IT operations staff, and other stakeholders to build organizational awareness and capability in vulnerability remediation and risk management.

Responsibilities

  • Plan, configure, and execute vulnerability scans across SBA's enterprise IT environment, including network infrastructure, servers, workstations, web applications, databases, and cloud-hosted assets, using enterprise vulnerability scanning platforms such as Tenable Nessus, Tenable.io, Qualys, or equivalent tools.
  • Analyze and interpret vulnerability scan results, applying knowledge of common vulnerability scoring systems (CVSS), exploit availability, asset criticality, and threat context to accurately assess the real-world risk posed by identified vulnerabilities and prioritize remediation activities accordingly.
  • Develop and maintain comprehensive vulnerability management reports, dashboards, and metrics, providing SBA leadership, system owners, and IT operations teams with clear visibility into the current vulnerability posture, remediation progress, and trending risk levels across SBA's enterprise environment.
  • Coordinate with system owners, IT operations teams, and application teams to communicate identified vulnerabilities, provide technical remediation guidance, track remediation activities, and validate the effectiveness of applied patches, configuration changes, and mitigations.
  • Support the development and maintenance of SBA's vulnerability management program documentation, including vulnerability management policies, procedures, scanning methodologies, and remediation tracking processes, ensuring alignment with NIST SP 800-40, federal vulnerability management guidance, and CISA BODs and EDs.
  • Assist in the integration of vulnerability management activities with SBA's POA&M program, ensuring identified vulnerabilities are accurately documented, tracked, and reported within the POA&M framework in accordance with FISMA and SBA security requirements.
  • Conduct configuration compliance assessments using security configuration baselines such as CIS Benchmarks and DISA STIGs, identifying configuration weaknesses and deviations from approved baselines across SBA's system portfolio and coordinating remediation activities with IT operations teams.
  • Support the assessment and documentation of vulnerability risk exceptions and remediation deadline extension requests, evaluating the technical justification and compensating controls proposed by system owners and preparing risk acceptance documentation for review by senior security staff.
  • Monitor and analyze vulnerability and threat intelligence from government and commercial sources, including CISA KEV (Known Exploited Vulnerabilities) catalog, NVD, US-CERT advisories, and commercial threat intelligence feeds, to identify emerging vulnerabilities and active exploit campaigns relevant to SBA's technology environment and prioritize response activities accordingly.
  • Collaborate with the SOC team to correlate vulnerability data with threat intelligence and active security monitoring findings, supporting a risk-informed approach to vulnerability prioritization and enabling more effective detection and response to exploitation attempts.
  • Support penetration testing activities by providing vulnerability data, scan results, and asset inventory information to support scoping and planning of penetration test engagements and assisting in the validation of penetration test findings against known vulnerability data.
  • Assist in the development and maintenance of SBA's asset inventory and asset management program, ensuring accurate and current records of SBA's IT assets, system configurations, and software inventory to support comprehensive vulnerability scanning coverage and risk analysis.
  • Prepare and deliver vulnerability management briefings, status reports, and technical presentations to SBA stakeholders, clearly communicating vulnerability findings, remediation status, risk levels, and program performance metrics.
  • Support vulnerability management activities for cloud-hosted assets and services, including the configuration and execution of cloud vulnerability scans and the assessment of cloud-specific security misconfigurations and vulnerabilities across AWS, Azure, and/or GCP environments.
  • Contribute to the continuous improvement of SBA's vulnerability management program, identifying opportunities to enhance scanning coverage, remediation tracking efficiency, reporting quality, and overall program effectiveness.

Benefits

  • health, dental and vision insurance
  • 401K with company matching
  • flexible spending accounts
  • paid holidays
  • three weeks paid time off
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service