Manager, Security Posture Validation - USDS

You will be responsible for the strategic vision and tactical execution of operations that span cloud infrastructure, web resources, and mobile applications. As a leader, you will bridge the gap between deep technical exploitation (Red Teaming) and systematic control validation (Security Posture), ensuring USDS maintains a world-class defense-in-depth posture.

Responsibilities
- Team Leadership & Development: Lead, mentor, and grow a specialized team of offensive security and privacy engineers. Foster a culture of continuous research, innovation, and ethical hacking.
- Integrated Verification Strategy: Define the roadmap for a unified testing program that combines Adversary Emulation (TTP-based testing) with Control Validation (NIST/ISO-based stress testing).
- Strategic Oversight: Plan and authorize comprehensive testing engagements, including red teaming, application pentesting, and privacy-specific threat modeling across OCI, AWS, and Azure.
- Stakeholder Management: Act as the primary interface for Executive leadership, Legal, Risk & Compliance, and Engineering. Translate complex technical vulnerabilities into actionable business risks.
- Methodology & Governance: Define and maintain Standard Operating Procedures (SOPs) and Rules of Engagement (ROE) for testing modern tech stacks (Kubernetes, Serverless, Mobile).
- Technical Excellence: Remain hands-on when necessary, guiding the team through complex exploitation scenarios, reverse engineering, and the development of custom automation for GRC tooling (e.g., Archer, ServiceNow).
- Remediation Advocacy: Collaborate with Blue Teams and Control Owners to track findings through to completion, providing pragmatic, risk-appropriate recommendations to correct flaws and misconfigurations.
- Metrics & Reporting: Develop and report Key Performance Indicators (KPIs) that demonstrate program effectiveness and organizational risk reduction to the Risk & Compliance teams.

Qualifications

Minimum Qualifications
- Experience: 5+ years in offensive security or privacy disciplines (Red Teaming, Pentesting, Vulnerability Research), with at least 3+ years in a formal people management or lead role.
- Technical Breadth: Proven expertise across Cloud (AWS/Azure/OCI), Mobile (iOS/Android), and Web Application security ecosystems.
- Control Validation: Strong working knowledge of security standards (ISO 27001, NIST 800-53, PCI-DSS) and experience gathering technical evidence to demonstrate compliance.
- Privacy Knowledge: Understanding of privacy-enhancing technologies (PETs) and the ability to apply offensive mindsets to identify data leakage or privacy-control bypasses.
- Coding/Scripting: Proficiency in at least two languages (e.g., Python, Golang, C++, Bash, or Java) for exploit development and tool automation.
- OS Mastery: Advanced knowledge of Windows, *nix, and MacOS environments, including troubleshooting and administration.
- Education: Bachelor's degree in Computer Science, Information Security, Computer Engineering, or a related technical field.

Preferred Qualifications
- Advanced Certifications: A combination of security and privacy certifications (e.g., OSCP/OSEP/GXPN and CIPP/CIPT/CIPM).
- Tooling Expertise: Mastery of industry-standard tools such as Burp Suite Pro, Cobalt Strike, Frida, Objection, MobSF, SQLMap, and Nessus.
- Community Impact: Contributions to the security/privacy community (CVEs, bug bounty recognition, whitepapers, or speaking at conferences like DEF CON or Black Hat).
- Regulatory Expertise: Experience navigating security testing within highly regulated or national security-focused divisions (USDS/FedRAMP).

Client-provided location(s): Washington, DC

Job ID: TikTok-7618396298304325893

Employment Type: OTHER

Posted: 2026-03-20T20:31:37