[Remote] Vulnerability Management Analyst

Note: The job is a remote job and is open to candidates in USA. Dragonfli Group is an award-winning cybersecurity advisory firm that provides high-impact security solutions to federal agencies and enterprise clients. The Senior Vulnerability Management Analyst will own and operate vulnerability management programs for a large federal client, leading scanning operations and managing stakeholder relationships while driving remediation efforts to closure.

Responsibilities

• Lead and manage end-to-end vulnerability disclosure programs (VDP), including coordination with ethical hackers, system owners, and agency stakeholders
• Own attack surface management programs (e.g., CISA FAST), including scheduling, scope management, findings coordination, and POA&M documentation
• Manage and update Standard Operating Procedures (SOPs), SharePoint repositories, and program tracking documentation
• Lead recurring stakeholder syncs (weekly vulnerability management meetings, DMZ syncs, Security Report presentations)
• Operate and maintain enterprise vulnerability scanning platforms including Tenable.sc, Tenable.io, and web application scanning tools (OpenText ScanCentral or equivalent)
• Scope, schedule, execute, and report on vulnerability scans across large, complex federal environments
• Analyze scan results to identify critical and high-severity findings; triage false positives; prioritize remediation activities
• Manage hardware/software certification pipelines; process ServiceNow tickets within defined SLAs
• Support transition from legacy tools to modernized scanning platforms with minimal operational disruption
• Track and drive remediation of critical, high, and all severity-tiered vulnerabilities to closure within program SLAs
• Maintain accurate POA&M records for all open findings across program scope
• Produce and present vulnerability dashboards, compliance reports, and executive-level status briefings
• Validate remediation effectiveness through post-remediation scanning and analysis
• Monitor HTTPS/HSTS compliance and other BOD requirements (BOD 18-01, BOD 20-01, and others as applicable)
• Build and maintain working relationships with CISA contacts, agency system owners, SOC personnel, and contractor teams
• Communicate vulnerability risks and remediation recommendations clearly to both technical and non-technical audiences
• Serve as subject matter expert and primary point of contact for assigned programs
• Provide backfill coverage across vulnerability management workstreams as needed

Skills

• 3+ years of hands-on vulnerability management experience within a federal agency environment
• Demonstrated program ownership: VDP, attack surface management, or equivalent independently managed programs
• Proficiency with Tenable.sc and/or Tenable.io (scan configuration, report generation, false positive management)
• Experience with CISA programs (VDP, FAST, BOD compliance) or equivalent federal cybersecurity initiatives
• Working knowledge of ServiceNow or equivalent ITSM platforms for ticket management
• Ability to produce clean, accurate SOPs, POA&Ms, and stakeholder-facing documentation
• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or equivalent practical experience
• Active security clearance or eligibility to obtain one preferred
• Experience operating WebInspect, OpenText ScanCentral, or equivalent DAST/web application scanning tools
• Familiarity with Bugcrowd or other managed bug bounty platforms
• Experience with HSTS/HTTPS compliance monitoring aligned to BOD 18-01
• Active certifications: Security+, CEH, CISSP, CISM, or Certified Vulnerability Assessor (CVA)
• Experience leading or co-leading standing meetings with federal stakeholders

Benefits

• Health, Dental, and Vision Insurance
• PTO
• 401(k)
• Remote work flexibility
• Exposure to high-impact federal cybersecurity programs
• Direct access to firm leadership and career development opportunities

Company Overview