Vulnerability Analyst — External Attack Surface & VDP at Vanguard

Malvern, Pennsylvania, United States

Apply Now
Vanguard Logo
Not SpecifiedCompensation
Mid-level (3 to 4 years)Experience Level
Full TimeJob Type
UnknownVisa
Financial ServicesIndustries

Requirements

  • 3–5 years in vulnerability analysis, application/infrastructure security, red teaming, or penetration testing (internal or consulting)
  • Proven ability to validate complex issues (param tampering, authN/Z bypass, SSRF, injection, IDOR, misconfig, cloud/API exposures) and write concise, repeatable steps with screenshots/PoCs
  • Experience with EASM (e.g., Censys, Defender EASM, Cortex Xpanse) and VDP/bug bounty platforms (e.g., HackerOne, Bugcrowd) and their triage mechanics
  • Familiarity with enterprise VM & tracking (ServiceNow VR/IRM, Jira, Archer/Risk Register), and with platform scanners (Qualys/Tenable/Nessus/Burp/ZAP)
  • Working knowledge of cloud (AWS/Azure), web & API security, PKI/TLS hygiene, DNS, and internet exposed service hardening
  • Scripting (Python/PowerShell/Bash) for repeatable validation and data wrangling; basic SQL helpful
  • Exceptional written communication—capable of translating technical risk into actionable guidance and executive clarity

Responsibilities

  • Validate & reproduce findings from EASM (internet exposed assets, misconfigurations, leaked services, weak crypto, open ports) and from VDP submissions (web, API, mobile, infrastructure). Use manual techniques and PT frameworks to confirm exploitability and business impact
  • Right-size severity & priority using exploitability signals (e.g., public exploit, EPSS/KEV), control context, asset criticality, and exposure window; document rationale and evidence that developers and risk owners can act on
  • Deduplicate, enrich & route findings to the correct owners; eliminate false positives; merge related signal (scanner output, logs, asset inventory, prior exceptions) and ensure single threaded tracking to closure
  • Partner with secure business enablement & product teams to negotiate remediation paths and SLAs; propose compensating controls or layered fixes when “one-shot” remediation isn’t feasible
  • Partner on governance workflows for risk acceptances, rating overrides, and reacceptance cycles; ensure issues aging and SLAs are visible in our dashboards
  • Close the loop with researchers (for VDP) through clear, respectful communications and crisp proof-of-fix retesting
  • Continuously improve signal quality by tuning rules/policies, source inventories, and intake/playbooks; author repeatable runbooks for common vuln classes
  • Contribute as an adversary when needed (mini-engagements) to validate edge case chains and confirm impact beyond tool output

Skills

Key technologies and capabilities for this role

EASMCensysDefender EASMCortex XpanseVDPHackerOneBugcrowdPenetration TestingRed TeamingVulnerability AnalysisSSRFInjectionIDORParam TamperingAuth BypassCloud SecurityAPI Security

Questions & Answers

Common questions about this position

What experience level is required for this Vulnerability Analyst role?

The role requires 3–5 years in vulnerability analysis, application/infrastructure security, red teaming, or penetration testing.

What technical skills are needed for this position?

Key skills include experience with EASM tools like Censys and VDP platforms like HackerOne, enterprise VM tools like ServiceNow, cloud knowledge in AWS/Azure, web/API security, and scripting in Python/PowerShell/Bash.

Is this a remote position or does it require office work?

This information is not specified in the job description.

What is the salary or compensation for this role?

This information is not specified in the job description.

What makes a strong candidate for this Vulnerability Analyst position?

Strong candidates have proven ability to validate complex issues like param tampering or SSRF with concise PoCs, exceptional written communication for actionable guidance, and nice-to-haves like OSCP certification or EPSS/KEV prioritization experience.

Vanguard

Client-owned investment management firm offering low-cost funds

Website

About Vanguard

Vanguard provides financial services with a focus on investment management. The company offers a variety of products, including mutual funds, exchange-traded funds (ETFs), individual retirement accounts (IRAs), and 401k rollovers, aimed at individual investors, financial advisors, and institutions. Vanguard's unique ownership structure means it is owned by its funds, which are in turn owned by the clients, allowing it to prioritize the needs of its investors over external shareholders. This model enables Vanguard to offer low-cost investment options, as it primarily earns revenue through management fees that are generally lower than industry standards. Additionally, Vanguard provides personalized investment advisory services, charging fees based on the assets managed. The company's goal is to help clients grow their wealth and achieve their financial objectives through effective investment strategies, while maintaining a competitive performance track record.

Kline Township, PennsylvaniaHeadquarters
1975Year Founded
SECONDARYCompany Stage
Fintech, Financial ServicesIndustries
10,001+Employees

Benefits

Best-in-class medical, dental & vision coverage
Onsite health clinic & fitness center
Health Smart Rewards program
Vanguard Retirement Savings Plan
Education Benefits
PTO
Family Planning Benefist
Parental leave
Personal development opportunities
Volunteer Time Off

Risks

Competition from AI-driven platforms like Writer challenges Vanguard's traditional advisory services.
Vanguard's stake in Steelcase exposes it to the volatile furniture market.
New active bond ETFs may struggle in a low-yield environment with increasing competition.

Differentiation

Vanguard is client-owned, aligning its interests with investors, unlike traditional firms.
The firm offers low-cost investment products, making it attractive to cost-conscious investors.
Vanguard's ownership structure allows it to focus on long-term investor value.

Upsides

Vanguard's new active bond ETFs offer diversified, low-cost fixed income options.
The acquisition of Steelcase shares diversifies Vanguard's portfolio into the furniture industry.
Launching the International Dividend Growth Fund appeals to investors seeking sustainable dividend growth.

Related Jobs

United States
Remote iconRemote

Principal Data Engineer, Attack Surface Intelligence

Recorded Future
Salary not specified
United States
Remote iconRemote

Senior Security Analyst, Vulnerability Management

Vanta
Salary not specified
Seattle +6 more
Remote iconRemote

Senior Manager, Hacker Success Program

HackerOne
£86,000 - £108,000/year
  • Employment type iconFull Time
  • Experience level iconExpert & Leadership (9+ years)
San Antonio
Remote iconRemote

Senior Penetration Tester

Humana
Salary not specified
United States
Remote iconRemote

Channel Account Manager (US/Canada East Region)

Apixio
Salary not specified
  • Employment type iconFull Time
  • Experience level iconSenior (5 to 8 years), Expert & Leadership (9+ years)
Philadelphia +1 more
Remote iconRemote

Government Program Analyst

NeuroFlow
Salary not specified
United States
Remote iconRemote

Sr. Threat Hunting Intelligence Analyst (Remote)

Crowdstrike
Salary not specified
Berkeley +1 more
Remote iconRemote

Security Operations Analyst

The Voleon Group
Salary not specified
  • Employment type iconFull Time
  • Experience level iconEntry Level & New Grad
United States
Remote iconRemote

Staff Threat Intelligence Analyst

Huntress
$190,000 - $210,000/year
  • Employment type iconFull Time
  • Experience level iconSenior (5 to 8 years)

Land your dream remote job 3x faster with AI

Try Jobo Free