"Alerted.org

What you’ll do

+ Validate & reproduce findings  from EASM ( internet exposed assets, misconfigurations, leaked services, weak crypto, open ports) and from VDP submissions (web, API, mobile, infrastructure). Use manual techniques and PT frameworks to confirm exploitability and business impact.

+ Right - size severity & priority  using exploitability signals (e.g., public exploit, EPSS/KEV), control context, asset criticality, and exposure window; document rationale and evidence that developers and risk owners can act on.

+ De duplicate, enrich & route  findings to the correct owners; eliminate false positives; merge related signal (scanner output, logs, asset inventory, prior exceptions) and ensure single threaded tracking to closure.

+ Partner with secure business enablement & product teams  to negotiate remediation paths and SLAs; propose compensating controls or layered fixes when “ one-shot ” remediation isn’t feasible .

+ Partner on governance workflows  for risk acceptances, rating overrides, and re acceptance cycles; ensure issues aging and SLAs are visible in our dashboards.

+ Close the loop with researchers  (for VDP) through clear, respectful communications and crisp proof - of - fix retesting.

+ Continuously improve signal quality  by tuning rules/policies, source inventories, and intake/playbooks; author repeatable runbooks for common vuln classes.

+ Contribute as an adversary  when needed ( mini - engagements ) to validate edge case chains and confirm impact beyond tool output.

What you’ll bring

+ 3 – 5 years  in vulnerability analysis, application/infrastructure security, red teaming, or penetration testing (internal or consulting).

+ Proven ability to  validate complex issues  (param tampering, authN /Z bypass, SSRF, injection, IDOR, misconfig , cloud/API exposures) and write concise, repeatable steps with screenshots/ PoCs .

+ Experience with  EASM  (e.g., Censys , Defender EASM, Cortex Xpanse ) and  VDP/bug bounty  platforms (e.g., HackerOne , Bugcrowd ) and their triage mechanics.

+ Familiarity with  enterprise VM & tracking  (ServiceNow VR/IRM, Jira, Archer/Risk Register), and with platform scanners (Qualys/ Tenable/ Nessus/Burp/ZAP).

+ Working knowledge of  cloud  (AWS/Azure),  web & API  security, PKI/TLS hygiene, DNS, and internet e xposed service hardening.

+ Scripting  (Python/PowerShell/Bash) for repeatable validation and data wrangling; basic SQL helpful.

+ Exceptional written communication—capable of translating technical risk into  actionable guidance  and executive clarity.

Nice - to - have exposure

+ EPSS/ KEV driven prioritization, attack path/graph concepts, and risk quant inputs.

+ Cloud posture and SaaS posture signals (SSPM) that intersect with external exposure.

+ Building tuning logic for scanners and platform rules (e.g., policy libraries, discovery seeds, asset correlation).

+ Certifications such as  OSCP ,  GWAPT ,  GPEN  (or equivalent demonstrable skill) are a plus;  CISSP  nice - to - have.

What’s in it for you

+ A front row seat reducing real-world external risk—turning noisy findings into  decisive action .

+ Growth pathways into  pen testing ,  threat modeling/assurance , or  VM program leadership .

Special Factors

Sponsorship

Vanguard is not offering visa sponsorship for this position.

About Vanguard

At Vanguard, we don't just have a mission—we're on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.