Vulnerability and Exploitation Researcher

Описание вакансии

What we do

At runZero, we're a team of dreamers and creative thinkers who aren't afraid to shake up the status quo. Fixing what’s broken with legacy vulnerability management and overcoming persistent, decades-old problems requires a new approach.

Our platform provides a single source of truth for exposure management across the total attack surface. Without requiring agents, authentication, or appliances, runZero delivers  the most complete and accurate visibility into every asset and exposure across  internal, external, IT, OT, IoT, mobile, and cloud environments — including uncovering  unknown and unmanageable devices and broad classes of exposures that evade traditional tools.

Founded by HD Moore (creator of Metasploit), runZero is trusted by more than 500 companies and 30,000 users worldwide to find and mitigate risks faster, meet compliance requirements, and improve overall security. See for yourself with a free trial!

Role

As a Vulnerability Researcher, you'll play a critical role in uncovering and analyzing vulnerabilities to strengthen runZero’s detection and intelligence capabilities. From researching and monitoring security threats, to collaborating with engineers on developing detection rules and vulnerability checks, to leading short-term original vulnerability research projects, you'll help drive impact by proactively identifying risks and surfacing insights for our customers.

Responsibilities

• Research current vulnerabilities and exploits using trusted sources, and stay up to date with threat intelligence
• Write root cause analyses and technical reports, as needed, clearly communicating findings to technical audiences
• Proactively monitor security-related information sources to discover new vulnerabilities and attack vectors
• Apply analytical expertise to investigate malware, phishing, mobile, and brand threats, delivering actionable vulnerability intelligence
• Assess the impact of vulnerabilities on critical systems and advise stakeholders on remediation strategies
• Build custom detection rules, identify unique attack attributes, and surface vulnerable internet-connected assets
• Assess in-the-wild exploitation readiness
• Research and develop new exploits and attack techniques
• Work with product and research engineers to develop vulnerability checks, fingerprints, queries, and detections
• Collaborate with the engineering team to add findings to the codebase, ideally in Golang

Requirements

• Hands-on experience with common vulnerability classes and exploitation techniques
• Familiarity with CVE (Common Vulnerabilities and Exposures), CWE (Common Weakness Enumeration), CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System).
• Experience using vulnerability and compliance scanning tools (Tenable, Rapid7, Qualys, Rockwell, and many other options)
• Solid grasp of security advisories, vulnerability exploitation, and threat impact
• Experience collaborating with engineers on automated tooling and detection rules
• Familiarity with Git, GitHub, CI/CD processes
• Familiarity with at least one programming language and the ability to use it to automate tasks (e.g. Go, Python, or Ruby)
• Knowledge of regular expressions (regex) and SQL for querying large databases is a big plus
• Experience coding in Go is a big plus
• Presentation skills at hacker conferences is a big plus

Salary Range: runZero values transparency in the hiring process. According to our market data, we’re expecting this role to come in at a salary of about $150,000 - $180,000. We know that the talent market is always in flux, so please let us know if you believe we have advertised this role in the wrong salary band

Interview process

We value your time and see the interview process as a critical two-way street, allowing us to assess your skills, strengths, and cultural fit while simultaneously providing you with a clear understanding of our company, our ways of working, and the expectations specific to the role you’re seeking. To this end, our interview process incorporates a combination of:

• Initial one-on-one interviews with a recruiter and manager
• Panel interviews with the team
• Candidate challenge - a role-specific challenge designed for you to showcase your strengths and allow us to assess your skills in a hands-on exercise
• A final interview, conducted either remotely or in-person if we haven't yet met face-to-face in previous rounds

How we take care of you

• 🏡 Fully remote: runZero is a 100% remote company! While we aim to gather annually for kick-offs, our team thrives in the flexibility and freedom that remote work provides.
• 🥕 Benefits: We prioritize the well-being of our team members, which is why runZero pays for 100% of the premium platinum-level medical, vision, dental, life, and short-term disability coverage for you and your dependents.

• 🔐 401(k): We match 4% of 401(k) contributions
• 🏝️ Time off: We offer unlimited PTO, 11 official company holidays, and a recharge week at the end of the year

• 🍼 Paid parental leave: We offer 12 weeks of paid parental leave
• 🎉 Culture of collaboration: Our team is diverse, representing various backgrounds and perspectives, which fosters an inclusive and vibrant environment. With flexible schedules and supportive coworkers who listen to one another, runZero promotes a culture of collaboration.
• And more!

For more information on what it's like to work at runZero, please visit ouremployee spotlight page!

Applications

runZero positions are currently restricted to the United States and the United Kingdom. All other International applications will not be considered.

runZero is an Equal Opportunity Employer and does not discriminate on the basis of race, religion, color, sex, gender identity, sexual orientation, age, disability, national origin, veteran status, marital status, ancestry, nationality or any other basis covered by applicable law.

We encourage under-represented applicants to apply, even if you don’t think you fit 100% of the criteria (nobody ever does)!