Vulnerability Management Lead

Saronic Technologies is a leader in revolutionizing autonomy at sea, dedicated to developing state-of-the-art solutions that enhance maritime operations through autonomous and intelligent platforms.Job OverviewWe're looking for a hands-on Vulnerability Management Lead to own Saronic's VM program end-to-end. You will be the technical authority for vulnerability discovery, triage, prioritization, remediation, and reporting across our entire environment — cloud, on-prem, embedded systems, and classified infrastructure. This is an individual contributor role with significant operational and strategic ownership: you'll build and run the program, drive accountability across engineering teams, and shape the long-term VM posture as Saronic scales.You're a doer first. You're also someone who can step back, think about the program architecturally, and communicate risk clearly to leadership. The right person for this role has strong opinions about how VM should work, isn't afraid to push for remediation ownership across the org, and sees automation as the path to scale.ResponsibilitiesVulnerability OperationsOwn end-to-end vulnerability lifecycle: discovery, validation, prioritization, remediation tracking, exception management, and verification across cloud, on-prem, container, and embedded Linux environmentsOperate and optimize enterprise vulnerability scanning platforms for continuous credentialed scanning across servers, endpoints, network devices, containers, and cloud assets; maintain coverage, schedules, and configuration audit policiesIntegrate vulnerability scanning into CI/CD pipelines to harden build workflows, enforce least-privilege controls, and surface supply chain risks before they reach productionLeverage AI-assisted scanning and graph-based enrichment pipelines to accelerate triage, map lateral exposure paths, and prioritize findings by exploitability and mission impactCorrelate findings across tools to eliminate noise, reduce false positives, and surface the vulnerabilities that actually matterPrioritization & Remediation LeadershipApply CVSS, CISA KEV, exploit maturity, and asset exposure context — including internet-facing systems, privileged access paths, and classified adjacency — to drive risk-based SLAs and remediation sequencingPartner with software and platform engineering teams to drive timely remediation; own escalation paths for aging critical and high findingsLead critical CVE response: rapid triage, impact assessment, containment guidance, and stakeholder communication for zero-days and actively exploited vulnerabilitiesGovern exception management: risk acceptance with compensating controls, time-bound approvals, and periodic review cyclesCoordinate patching windows and change management across Windows, Linux, network devices, and cloud servicesCompliance & ReportingAlign the VM program to CMMC Level 2/3 requirements; produce audit-ready evidence, POA&Ms, and control effectiveness documentationDeliver executive and operational reporting: exposure trends, SLA performance, mean time to remediate, patch coverage, and remediation velocitySupport CMMC assessments and audits with clean, well-documented vulnerability data and remediation historyMaintain asset inventory hygiene and scan coverage metrics; ensure classified and sensitive system boundaries are respected in tooling and data handlingProgram Maturity & AutomationBuild and mature automation for scan scheduling, finding enrichment, ticket creation, SLA tracking, and reporting — reducing manual overhead as the program scalesDefine and refine VM policies, procedures, and playbooks including critical CVE response runbooks and patch cadence standardsEvaluate and recommend tooling improvements; drive integration across the vulnerability management and broader security stackMentor and support analysts as the team grows; run tabletop exercises for vulnerability and patching scenariosQualifications5+ years in cybersecurity with 3+ years of hands-on vulnerability management ownership in hybrid on-prem/cloud environmentsDeep operational expertise with enterprise vulnerability scanning platforms — credentialed scanning, policy tuning, coverage management, and integration with downstream workflowsStrong command of CVE/CVSS scoring, CISA KEV, exploit maturity indicators, and the ability to translate technical risk into business impact for non-technical stakeholdersExperience with CI/CD security tooling and supply chain risk management, including build pipeline security principlesProven track record driving remediation accountability across engineering teams — you know how to get vulnerabilities closed, not just reportedExperience aligning VM programs to federal or defense compliance frameworks; CMMC, NIST SP 800-171, or NIST RMF experience strongly preferredMetrics-driven: comfortable owning exposure reduction KPIs, SLA adherence, MTTR, and patch coverage dashboardsClear, direct communicator — equally effective in a technical deep-dive and an executive briefingSecurity clearance eligibility Preferred QualificationsActive Secret or TS clearance, or prior clearance historyExperience with AI-assisted vulnerability tooling, graph-based asset and exposure analysis, or automated enrichment pipelinesExperience with CI/CD pipeline security hardening platformsExperience operating in classified or air-gapped environmentsScripting or automation experience (Python, PowerShell, or Bash) for scan orchestration, data normalization, API integrations, and reporting pipelinesExperience with container and cloud-native vulnerability management using CSP-native security toolingFamiliarity with NIST SP 800-218 (Secure Software Development Framework) and software supply chain security frameworksRelevant certifications: CISSP, CySA+, GCSA, GCPN, Security+, or equivalentPhysical DemandsProlonged periods of sitting at a desk and working on a computerOccasional standing and walking within the officeManual dexterity to operate a computer keyboard, mouse, and other office equipmentVisual acuity to read screens, documents, and reportsOccasional reaching, bending, or stooping to access file drawers, cabinets, or office suppliesLifting and carrying items up to 20 pounds occasionally (e.g., office supplies, packages)BenefitsMedical Insurance: Comprehensive health insurance plans covering a range of servicesSaronic pays 100% of the premium for employees and 80% for dependentsDental and Vision Insurance: Coverage for routine dental check-ups, orthodontics, and vision careSaronic pays 100% of the premium under the basic plan for employees and 80% for dependentsTime Off: Generous PTO and HolidaysParental Leave: Paid maternity and paternity leave to support new parentsCompetitive Salary: Industry-standard salaries with opportunities for performance-based bonusesRetirement Plan: 401(k) plan with company matchStock Options: Equity options to give employees a stake in the company’s successLife and Disability Insurance: Basic life insurance and short- and long-term disability coveragePet Insurance: Discounted pet insurance options including 24/7 Telehealth helplineAdditional Perks: Free lunch benefit and unlimited free drinks and snacks in the officeSaronic CCPA Notice for Candidates and California EmployeesIf this role is based in the United States, it requires access to export-controlled information or items that require “U.S. Person” status. As defined by U.S. law, individuals who are any one of the following are considered to be a “U.S. Person”: (1) U.S. citizens, (2) legal permanent residents (a.k.a. green card holders), and (3) certain protected classes of asylees and refugees, as defined in 8 U.S.C. 1324b(a)(3).Saronic does not discriminate on the basis of race, sex, color, religion, age, national origin, marital status, disability, veteran status, genetic information, sexual orientation, gender identity or any other reason prohibited by law in provision of employment opportunities and benefits. We are also committed to providing