Manager, Vulnerability Research

at  Rapid7

JOB OVERVIEW

Rapid7’s security sciences division is looking for an experienced vulnerability research leader to help define and execute a research strategy that helps defenders get ahead of the curve, drives product and services innovation, and keeps Rapid7 top of mind for industry audiences. In addition to directly managing a small team of talented researchers, you’ll work with a skilled group of offensive security experts to define long-term priorities, evolve strategy where needed, and emphasize the importance of research to executive-level stakeholders.

The skills you’ll bring include:

• 5+ years of hands-on experience in a vulnerability research or exploit development role; you have extensive experience and a clear point of view on vulnerability exploitation, patch diffing, native code analysis, and black-box testing.
• Experience in a team lead or other research leadership role that includes management of both junior and senior researchers; experience managing across multiple time zones and countries is a big plus!
• Demonstrable experience running or participating in coordinated vulnerability disclosure processes that require coordination with external partners as well as internal teams (e.g., researchers, vendors, customers, governments, PR agencies). You have both expertise and empathy where CVD is concerned and can help all parties find common ground while still championing scalable practices that showcase team expertise.
• Expert knowledge of major vulnerability classes, attack techniques, and adversary profiles — and the ability to tell a story that connects them. Ideally you can point to public writing or speaking you’ve done on vulns and exploits (or other research or tooling you’ve delivered)
• Deep understanding of the challenges that security teams and global organizations face in today’s threat climate
• Understanding of how urgency and importance can complement each other or detract from one another: Your work will fall into both categories, and you’ll need to know when to counsel patience vs. when to raise alarms

In this role, you will:

• Manage a small bench of skilled senior researchers, coaching and unblocking on day-to-day vulnerability analysis tasks; you’ll help prioritize, drive operational efficiencies, and conduct regular 1:1s and performance reviews to further develop our top-tier talent!
• Lead Rapid7’s external vulnerability disclosure program. You’ll work with researchers to develop summaries of new vulnerabilities, report them to vendors, reserve and populate CVEs, and coordinate public disclosures with Rapid7 teams and external vendors, ensuring compliance with Rapid7’s disclosure policy.
• Prioritize, review, and suggest refinements to team vulnerability root cause analyses, exploit and PoC implementations, and CVE impact assessments, drawing on public data and your own experience to help the team paint a clear, holistic picture of risk for common threat models.
• Take an active operational role in triaging and prioritizing new CVEs that may qualify for customer-facing emergent threat responses; you’ll advise on process changes, write operational documentation, and/or implement automation that drives faster positive outcomes for customers and cross-team stakeholders.
• Assist in planning and delivering vulnerability intelligence blogs and long-form research reports, identifying patterns and attack vectors that spark conversation.
• Advise our security and threat detection engineers as they develop vulnerability checks, fingerprints, and detections; contextualize risk and explain the value of research to executive-level stakeholders.
• Work with Labs leadership on long-term hiring plans to scale the global team in line with business priorities; hire and develop a small bench of junior talent in Rapid7 office locations (EMEA), inspiring and training the next generation of vulnerability researchers.

The skills you’ll bring include:

• 5+ years of hands-on experience in a vulnerability research or exploit development role; you have extensive experience and a clear point of view on vulnerability exploitation, patch diffing, native code analysis, and black-box testing.
• Experience in a team lead or other research leadership role that includes management of both junior and senior researchers; experience managing across multiple time zones and countries is a big plus!
• Demonstrable experience running or participating in coordinated vulnerability disclosure processes that require coordination with external partners as well as internal teams (e.g., researchers, vendors, customers, governments, PR agencies). You have both expertise and empathy where CVD is concerned and can help all parties find common ground while still championing scalable practices that showcase team expertise.
• Expert knowledge of major vulnerability classes, attack techniques, and adversary profiles — and the ability to tell a story that connects them. Ideally you can point to public writing or speaking you’ve done on vulns and exploits (or other research or tooling you’ve delivered)
• Deep understanding of the challenges that security teams and global organizations face in today’s threat climate
• Understanding of how urgency and importance can complement each other or detract from one another: Your work will fall into both categories, and you’ll need to know when to counsel patience vs. when to raise alarms.

We know that the best ideas and solutions come from multi-dimensional teams reflecting a variety of backgrounds and professional experiences. If you are excited about this role and feel your experience can make an impact, please don’t be shy — apply today.