Sr. Vulnerability Management Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It's why we've become the #1 home solar and battery company in America. Today, we're on a mission to change the way the world interacts with energy, and we're building a company and brand that puts power at the center of life. And we're doing it by designing a dynamic culture where employee development, well-being, and safety come first. We're unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle - from sale through installation and beyond - so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview

We are seeking a senior, strategic Vulnerability Management Engineer to lead the evolution and execution of our enterprise-wide vulnerability management program. As our subject matter expert, you will drive strategy, foster a risk-aware culture, and ensure the timely remediation of vulnerabilities across our diverse on-premise and multi-cloud environments. This is a pivotal leadership role focused on transforming vulnerability management into a core information security strength, directly safeguarding our organization's assets and data.

• Develop and own the enterprise vulnerability management strategy, roadmap, policies, and standards, ensuring alignment with business objectives and regulatory requirements.
• Act as the definitive subject matter expert on vulnerability threats, exploitation techniques, and mitigation strategies, providing thought leadership to the organization.
• Define the organization's risk appetite in collaboration with executive leadership, ensuring the program operates effectively within established risk tolerance levels.
• Mentor and guide junior engineers and analysts, serving as the technical escalation point for complex vulnerability issues.

• Lead the end-to-end vulnerability management lifecycle: from asset discovery, scanning, and analysis to reporting and remediation tracking across all on-premise, cloud (IaaS, PaaS, SaaS), and containerized environments.
• Architect, manage, and optimize our suite of vulnerability management tools (e.g., Tenable, Qualys, Rapid7, Wiz, Prisma Cloud) to ensure comprehensive coverage and efficiency.
• Drive automation and continuous improvement within the program to streamline processes and enhance capabilities.
• Partner with IT and engineering teams to maintain a comprehensive and accurate asset inventory, a critical foundation for program success.

• Build strong partnerships with Engineering, IT, DevOps, and Application Development teams to drive the timely remediation of vulnerabilities and ensure adherence to SLAs.
• Develop and maintain robust metrics, KPIs, and KRIs to measure program effectiveness and communicate our security posture to technical teams and executive leadership.
• Design and deliver clear, actionable dashboards and reports that translate complex technical data into business-relevant risk insights.
• Champion "shift-left" principles by working with DevSecOps teams to integrate security into the Software Development Lifecycle (SDLC).

• 8+ years of progressive experience in cybersecurity, with 5+ years specifically dedicated to enterprise-scale vulnerability management in complex, hybrid environments.
• Proven track record of developing, leading, and maturing a successful vulnerability management program with measurable improvements in risk reduction.
• Deep, hands-on expertise with leading vulnerability scanning platforms (Tenable, Qualys, etc.) and cloud security posture management (CSPM) tools (Wiz, Prisma Cloud, etc.).
• Expert understanding of the vulnerability lifecycle, risk assessment, and advanced prioritization techniques (CVSS, EPSS, CISA KEV).
• Proficiency in assessing vulnerabilities across diverse environments, including on-premise infrastructure, multi-cloud platforms (AWS, Azure, GCP), and container technologies (Docker, Kubernetes).
• Exceptional leadership and communication skills, with the ability to influence cross-functional teams and present complex technical concepts to both technical and executive audiences.

• Bachelor's degree in a relevant field (Computer Science, Cybersecurity, etc.) or equivalent extensive experience.
• Experience with scripting languages (Python, PowerShell) to automate tasks and integrate tools.
• Knowledge of "Security as Code" principles and experience integrating security into CI/CD pipelines.
• Familiarity with compliance frameworks (PCI DSS, HIPAA, SOX, NIST) and their impact on vulnerability management.
• Highly desirable certifications: CISSP, CISM, CRISC, GIAC, OSCP, or relevant cloud security certifications.