Senior Vulnerability Management Engineer

Are you passionate about making a real difference in cybersecurity? At Cisco, our Vulnerability Management team (part of Splunk Global Security) is at the forefront of protecting the technologies and products that power the world's data insights. We do more than just uncover technical vulnerabilities - we take a multidisciplinary, risk-based approach to security, identifying not only system flaws but also process and operational risks that could impact our product.

We are a globally diverse team of engineers who thrive on collaboration. Our team partners closely with diverse business and engineering groups, gaining deep understanding of their technologies and unique challenges. We don't just deliver findings - we provide actionable, tailored guidance to drive real remediation and elevate Splunk's security posture.

If you want to work at the intersection of risk management, technical security, and strategic collaboration - and help shape the future of security at Splunk - we want to meet you!

Help Splunk see risk more clearly, make data driven decisions, and continuously improve-by turning data into action and vulnerabilities into opportunities for growth

As a Senior Vulnerability Management Engineer, your work will go far beyond just finding technical flaws, you'll be shaping the way security risks are understood and addressed across the company. You'll use data science and sophisticated data visualization techniques to turn complex security data into clear, actionable insights for a wide range of stakeholders. By visualizing vulnerability trends, risk metrics, and remediation progress in compelling ways, you'll empower teams to make informed decisions and prioritize what matters most.

• Build solutions/capabilities within the scope of Vulnerability Management to further improve Splunk's Vulnerability Management Program (e.g., automation, data analysis, process development).

• Act as SME (subject matter expert) for vulnerability management and processes.

• Analyze vulnerability data/Identifying trends to perform root-cause analysis.

• Assist in development of new security standards and baselines.

• Perform vulnerability assessments and act as a point of contact for engineering teams to drive remediation of security concerns and active incidents.

• Respond to emerging security events and threats.

• Triage vulnerabilities to provide company specific severity guidance.

• Ensure remediation team compliance to regulatory standards.

• Comfortably lead security discussions, vulnerability assessments, propose and discuss solutions to security tools that are directly related to their area of focus.

• Develop SOPs, performance metrics, and reporting mechanisms aligned with SLAs and critical metrics.

• Engage with leadership, customers, and auditors to provide updates, recommendations, and briefings.

• Bachelor's degree with 8+ years of experience in a vulnerability management engineering or information security capacity or Master's degree with 6+ years of experience; or PhD with 5+ years of related experience

• Must have experience with risk-based vulnerability management/configuration compliance assessments and security concepts and prioritization methodologies.

• Able to communicate risk and urgency to executives, program, and technical staff.

• Demonstrable proficiency with vulnerability scanning and configuration compliance platforms such as Tenable, Qualys, Rapid7, Wiz, Prisma, or similar.

• Familiarity with how to assess and implement external configuration compliance standards such as CIS Benchmarks and DISA STIGs

• Understanding of security features in Container and Container Orchestration technologies (Docker, Kubernetes, etc).

• Strong analytical and problem-solving skills, with an ability to balance security needs with business impact while addressing systemic security issues through root cause analysis, building security solutions, and project leadership.

• Knowledge of common security threats, such as attack-techniques, evasive techniques, and preventative & defensive methods.

• Deep knowledge of cloud operational models and secure SaaS architecture in a world of containerized microservices.

• Familiarity of compliance requirements for certifications like PCI DSS, SOC2, HIPAA, FedRAMP.

• Functional in using Splunk Search Processing Language (SPL).

• Excellent working experience in applying FISMA, and FedRAMP processes and policies to information systems.

• Experience with scripting and automation (e.g., Python, SOAR) to automate scanning tasks, reporting, and API integrations.

• Industry certifications such as CISSP, CCSP, CompTIA CySA+, Cloud Vendor security credentials.

At Cisco, we're revolutionizing how data and infrastructure connect and protect organizations in the AI era - and beyond. We've been innovating fearlessly for 40 years to create solutions that power how humans and technology work together across the physical and digital worlds. These solutions provide customers with unparalleled security, visibility, and insights across the entire digital footprint.

Fueled by the depth and breadth of our technology, we experiment and create meaningful solutions. Add to that our worldwide network of doers and experts, and you'll see that the opportunities to grow and build are limitless. We work as a team, collaborating with empathy to make really big things happen on a global scale. Because our solutions are everywhere, our impact is everywhere.

We are Cisco, and our power starts with you.

Individual pay is determined by the candidate's hiring location, market conditions, job-related skillset, experience, qualifications, education, certifications, and/or training. The full salary range for certain locations is listed below. For locations not listed below, the recruiter can share more details about compensation for the role in your location during the hiring process.

U.S. employees are offered benefits, subject to Cisco's plan eligibility rules, which include medical, dental and vision insurance, a 401(k) plan with a Cisco matching contribution, paid parental leave, short and long-term disability coverage, and basic life insurance. Please see the Cisco careers site to discover more benefits and perks. Employees may be eligible to receive grants of Cisco restricted stock units, which vest following continued employment with Cisco for defined periods of time.

U.S. employees are eligible for paid time away as described below, subject to Cisco's policies:

• 10 paid holidays per full calendar year, plus 1 floating holiday for non-exempt employees

• 1 paid day off for employee's birthday, paid year-end holiday shutdown, and 4 paid days off for personal wellness determined by Cisco

• Non-exempt employees** receive 16 days of paid vacation time per full calendar year, accrued at rate of 4.92 hours per pay period for full-time employees

• Exempt employees participate in Cisco's flexible vacation time off program, which has no defined limit on how much vacation time eligible employees may use (subject to availability and some business limitations)

• 80 hours of sick time off provided on hire date and each January 1st thereafter, and up to 80 hours ofunused sick timecarried forwardfrom one calendar yearto the next

• Additional paid time away may be requested to deal with critical or emergency issues for family members

• Optional 10 paid days per full calendar year to volunteer

For non-sales roles, employees are also eligible to earn annual bonuses subject to Cisco's policies.

Employees on sales plans earn performance-based incentive pay on top of their base salary, which is split between quota and non-quota components, subject to the applicable Cisco plan. For quota-based incentive pay, Cisco typically pays as follows:

• .75% of incentive target for each 1% of revenue attainment up to 50% of quota;

• 1.5% of incentive target for each 1% of attainment between 50% and 75%;

• 1% of incentive target for each 1% of attainment between 75% and 100%; and

• Once performance exceeds 100% attainment, incentive rates are at or above 1% for each 1% of attainment with no cap on incentive compensation.

For non-quota-based sales performance elements such as strategic sales objectives, Cisco may pay 0% up to 125% of target. Cisco sales plans do not have a minimum threshold of performance for sales incentive compensation to be paid.

The applicable full salary ranges for this position, by specific state, are listed below:

New York City Metro Area:

Non-Metro New York state & Washington state:

* For quota-based sales roles on Cisco's sales plan, the ranges provided in this posting include base pay and sales target incentive compensation combined.

** Employees in Illinois, whether exempt or non-exempt, will participate in a unique time off program to meet local requirements.