Vulnerability Management Analyst

About The Position

Requirements

• 1-3 years of experience in cybersecurity operations, vulnerability management, security operations, cyber GRC, IT operations, application support, or related technical/security work.
• Hands-on exposure to Tenable/Nessus vulnerability data, including plugins, CVEs, severity, affected assets, plugin output, first-seen/last-seen dates, and remediation guidance.
• Ability to run authorized ad hoc Tenable/Nessus scans using approved scan templates, target lists, credentials, scan windows, and documented rules of engagement.
• Ability to create or maintain Tenable/Nessus dashboards, saved filters, reports, and exports for vulnerability review and remediation tracking.
• Ability to work with vulnerability exports from Tenable/Nessus and organize findings in Excel, Power BI, SharePoint, Jira, ServiceNow/CA ServiceDesk, or similar tools.
• Working understanding of vulnerability management concepts such as severity, KEV, CVE, false positive, remediation evidence, rescan validation, aging, ownership, dependencies, risk acceptance, and due dates.
• Intermediate Power BI or reporting experience, including data imports, transformations, tables, charts, filters, slicers, and dashboard maintenance.
• Strong Excel skills, including filtering, lookups, pivots, conditional formatting, data cleanup, and comparison across exports.
• Ability to communicate clearly with technical teams and non-technical stakeholders about finding status, blockers, evidence, and next steps.
• Strong attention to detail and willingness to reconcile messy data across multiple sources.
• Think analytically, effective verbal and written communication skills, make decisions, observe/remember details, interpret data, concentrate on tasks, adjust to change, handle stress/emotions.
• Regular attendance, maintain work schedule, attend meetings, meet deadlines, keyboard/type, handle confidential information, use math/calculations, stay organized, operate office equipment, may direct others.

Nice To Haves

• Familiarity with iPost, Tenable/Nessus, ServiceNow, Jira, ServiceDesk, SharePoint, Power BI, Splunk, or similar reporting/security tools.
• Exposure to application development, product teams, DevSecOps, SAST, SCA, DAST, container scanning, secrets scanning, or SBOM tooling.
• Experience tracking EOL/EOS software, patch compliance, POA&M aging, remediation exceptions, risk acceptance, or closure evidence.

Responsibilities

• Perform and Review Tenable/Nessus scan exports and dashboards to identify affected assets, plugins, CVEs, severity, first-seen dates, last-seen dates, plugin output, vulnerability age, and remediation guidance.
• Run approved ad hoc Tenable/Nessus scans when requested by Security, product teams, ISSO, or leadership, using approved scan templates, credentialed scan profiles, scan windows, and target lists.
• Create and maintain Tenable/Nessus native dashboards, saved views, reports, filters, asset groups/tags where permitted, and recurring exports for KEVs, Critical/High findings, stale findings, aging, ownership, and validation status.
• Monitor scan jobs, confirm scan completion, export results, identify scan failures or credential issues, and escalate scan coverage or authentication problems to senior security staff or platform administrators.
• Help validate whether findings are true positives, duplicates, stale/residual artifacts, configuration issues, missing patches, unsupported software, or application dependencies.
• Use Tenable/Nessus evidence to support ownership assignment, remediation planning, retest validation, and closure evidence.
• Reconcile Tenable/Nessus data against iPost, ServiceNow/CA ServiceDesk, Jira, POA&M trackers, Excel files, SharePoint trackers, and remediation evidence.
• Escalate unclear Tenable/Nessus findings to senior security staff, system owners, application teams, SO/Windows Services, infrastructure, database teams, or ISSO stakeholders for ownership decisions.
• Operate within approved rules of engagement. The role may run authorized ad hoc scans and build Tenable reports, but is not expected to be the enterprise Tenable platform administrator or final approver for scan policy changes.