Senior EASM Engineer - External Attack Surface Management

What You'll Do

• Lead EASM validation and engineering: Investigate and reproduce findings from EASM platforms (e.g., exposed services, misconfigurations, weak crypto, DNS issues, leaked assets). Engineer and maintain repeatable validation processes and automation to confirm exploitability and business impact.
• Architect prioritization logic: Partner with VM stakeholder to apply exploitability signals (EPSS, KEV, public exploit availability), asset criticality, and exposure windows to drive risk-based prioritization.
• Engineer attribution and routing workflows: Build logic to deduplicate, attribute, and route findings across inventories, scanner outputs, and historical exceptions. Ensure single-threaded tracking and SLA visibility.
• Partner on remediation strategy: Collaborate with stakeholders to design layered fixes, compensating controls, and sustainable hardening patterns for external assets.
• Advance EASM capabilities: Develop tuning logic for discovery seeds and asset correlation. Continuously improve signal fidelity and automate common validation tasks.
• Support VDP oversight: Provide governance for researcher communications, proof-of-fix validation, and SLA adherence.

What You'll Bring

• 7+ years in vulnerability engineering or external attack surface security, with proven leadership in complex environments.
• Hands-on experience with EASM platforms (e.g., Censys, Defender EASM, Cortex Xpanse, CyCognito, etc.) and strong understanding of internet-scale asset discovery.
• Proficiency in scripting (Python, PowerShell, Bash) for automation and data wrangling; familiarity with SQL for enrichment tasks.
• Strong knowledge of cloud security (AWS/Azure), PKI/TLS hygiene, DNS hardening, and external service posture.
• Exceptional written and verbal communication-capable of translating technical risk into executive clarity and developer-ready guidance.

Nice-to-Have

• Experience building prioritization models using EPSS/KEV and attack path concepts.
• Familiarity with SaaS posture signals (SSPM) intersecting with external exposure.
• Certifications such as OSCP, GWAPT, GPEN (or equivalent demonstrable skill); CISSP is a plus.
• Deep expertise in validating advanced issues (authN/Z bypass, SSRF, injection, misconfigurations, cloud/API exposures) and producing actionable PoCs.

What's in It for You

• A technical leadership role helping to shape and influence EASM strategy, automation, and risk reduction across the enterprise.
• Growth pathways into offensive security, vulnerability management, security architecture, or program ownership.

Special Factors

Sponsorship
Vanguard is not offering visa sponsorship for this position.

About Vanguard

At Vanguard, we don't just have a mission-we're on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.

Client-provided location(s): Charlotte, NC, Dallas, TX, Malvern, PA

Job ID: Vanguard-170330

Employment Type: FULL_TIME

Posted: 2025-09-09T20:26:15