[Remote] Vulnerability Operations Engineer - Remote
Note: The job is a remote job and is open to candidates in USA. CentralSquare Technologies is a trusted provider of public sector software in North America, supporting over 8,000 agencies with their comprehensive platform. They are seeking a Vulnerability Operations Engineer to enhance their Security team by managing the full pipeline of vulnerability discovery and resolution using AI technologies, ensuring that application teams receive both problems and solutions efficiently.
Responsibilities
- Operate and continuously improve an AI-powered scanning pipeline across CentralSquare's first-party codebases, open-source dependencies, and infrastructure components
- Use Claude Code, Veracode, and Orca to conduct ongoing static analysis, software composition analysis (SCA), and cloud posture assessments
- Apply reachability analysis to distinguish genuinely exploitable vulnerabilities from theoretical findings, reducing alert fatigue and focusing remediation effort where risk is real
- Monitor threat intelligence feeds, CVE disclosures, and coordinated disclosure programs (including Project Glasswing patch releases) to identify newly disclosed vulnerabilities affecting CentralSquare's software supply chain
- Develop and validate fixes (code patches, dependency upgrades, configuration changes) using AI coding agents such as Claude Code, verifying resolution without regressions before submission
- Submit validated fixes as pull requests into owning teams' Azure DevOps repositories, with clear documentation of the vulnerability, risk context, and fix rationale to support efficient review and merge
- Collaborate with application and infrastructure teams during code review, providing technical context and responding to questions about proposed changes
- Own the end-to-end SLA lifecycle for all open findings, maintaining real-time tracking of detection, fix submission, and merge status in the vulnerability management system
- Proactively escalate findings approaching SLA breach with remediation options and risk context
- Produce regular reporting on pipeline health, SLA adherence, remediation velocity, and open risk posture for the security leadership team
- Own the configuration, tuning, and operational health of VulnOps tooling including Veracode, Orca, Claude Code, and Azure DevOps security integrations
- Identify and reduce false positive rates through policy tuning and reachability filtering, ensuring signal quality remains high as scan volume increases
- Contribute to the development of automated remediation pipelines, including AI-assisted fix generation integrated directly into CI/CD workflows
- Evaluate and recommend new tools and capabilities as the AI security tooling landscape evolves
- Work closely with application engineering, DevOps, and infrastructure teams to ensure fix delivery is efficient and minimally disruptive to development velocity
- Provide security guidance to engineering teams on secure coding practices and dependency management in the context of AI-accelerated vulnerability discovery
- Partner with the Risk and Compliance team to ensure vulnerability data and SLA metrics align with audit and regulatory reporting requirements (NIST CSF, PCI DSS, CJIS)
- Perform other duties as assigned
Skills
- Bachelor's degree in Cybersecurity, Computer Science, or Information Technology, or equivalent professional experience
- 5-7 years of professional experience in application security, vulnerability management, or a combined security engineering role
- Demonstrated hands-on experience using AI coding agents (Claude Code or equivalent) to find, evaluate, and generate fixes for software vulnerabilities
- Proficiency with SAST and SCA tooling; direct experience with Veracode strongly preferred
- Experience with cloud security posture management; direct experience with Orca preferred
- Working experience with Azure DevOps for CI/CD pipeline integration and pull request workflows
- Ability to read, understand, and write code across at least two languages commonly used in enterprise SaaS environments (e.g., Java, C#, Python, JavaScript/TypeScript, Terraform)
- Strong understanding of reachability analysis and the ability to apply it to distinguish exploitable findings from theoretical risk
- Familiarity with dependency and supply chain security concepts, including SBOM generation and management
- Working knowledge of common vulnerability classes (injection, memory corruption, authentication flaws, insecure deserialization, etc.) and their remediation patterns
- Understanding of security frameworks including NIST CSF and CIS Controls
- Highly systematic and process-driven — capable of managing a high volume of concurrent findings without losing precision or letting items fall through the cracks
- Self-directed and accountable: this role is measured by fix delivery and SLA outcomes, not activity metrics
- Strong written communication skills — fix submissions must include documentation that gives owning teams sufficient context for confident, efficient code review
- Comfortable working across organizational boundaries, earning credibility with engineering teams through technical quality rather than authority
- Able to prioritize effectively under pressure, with clear judgment about when to escalate versus resolve independently
- A required part of the onboarding process for this role involves obtaining CJIS (Criminal Justice Information Services) clearance—a critical credential for safeguarding public safety data
Benefits
- Mentorship
- Learning programs
- Clear paths for advancement
- Competitive compensation and a benefits package designed to support your life inside and outside of work—tuition reimbursement
- Parental leave
- Paid volunteer hours
- Unlimited PTO
- Flexible work environment gives you the freedom to balance your heroic work with personal well-being, whether you’re in the office or remote
- CJIS (Criminal Justice Information Services) clearance—a critical credential for safeguarding public safety data. At CentralSquare, we’ll stand with you every step of the way to secure this clearance should you be selected for hire
- Comprehensive background check will be conducted
Company Overview