• Deploy and operationalize Cycode ASPM platform (or equivalent) as the central nervous system for application security—unifying SAST, SCA, secret scanning, container security, and IaC scanning into actionable intelligence • Build IDE-to-cloud security pipelines that catch vulnerabilities at code-write time, eliminating 90% of findings before merge • Create security-as-code frameworks that make the secure path the default path • Automate vulnerability triage, deduplication, and routing to eliminate manual security toil • Design and deploy pre-approved security patterns, libraries, and templates that enable developers to build securely without security expertise • Establish threat modeling as a lightweight, scalable practice integrated into product planning • Conduct security architecture reviews for high-risk features across mobile (iOS/Android), backend (Java, Python, PHP), and emerging hardware products • Build security tooling that developers actually want to use—think Spotify's Backstage for security • Establish SLA-driven vulnerability management workflows with clear severity definitions, ownership models, and escalation paths • Create friction-free remediation guidance—not "fix this," but "here's the exact code change needed" • Build metrics dashboards that translate security posture into business language executives understand • Partner with engineering leadership to embed security accountability into team objectives • Act as embedded security advisor to product and platform engineering teams • Translate complex security requirements into pragmatic, implementable solutions • Influence technical decisions at the architecture level—security considered in design, not bolted on after

• Developing and refining internal red team scripts, tools, and methodologies to enhance offensive security operations. • Research, validate, and exploit known attacks, vulnerabilities, and security weaknesses using custom-built or existing tools. • Conduct thorough Red Team assessments targeting on-premises infrastructure, cloud environments, and enterprise threat landscapes. • Identify vulnerabilities across software, systems, networks, and business logic through simulated adversarial tactics. • Design and execute complex threat emulation scenarios incorporating physical, social engineering, and digital attack vectors. • Produce detailed, accurate, and actionable reports and presentations tailored for both technical teams and executive leadership. • Collaborate closely with other security teams to support remediation efforts and improve overall security posture. • Stay current with emerging threats, attack techniques, and security technologies to continuously evolve red team capabilities. • Conduct Purple Team exercises in collaboration with partner security teams to identify and improve the organization's security posture.

• Develop and implement the organization's information security strategy. • Provide regular security updates to the CIO, other executives, and the board of directors, including presentations on security matters. • Represent the organization in security-related matters with external parties, including vendors and auditors. • Work closely with the CIO and operate as a member of the DevOps team to emphasize and implement security initiatives. • Conduct regular risk assessments and vulnerability scans using tools like Rapid7 IVM and internal tracking systems. • Oversee the development and implementation of incident response plans and conduct tabletop exercises with DevOps team members. • Ensure compliance with relevant regulations and standards, including HITRUST, NIST, DirectTrust, HIPAA, and SOC 2 (Type II), ISO. • Manage internal and external security audits, including evidence collection and preparation. • Oversee the evidence collection process for audits, working with third-party auditors for response submission. • Work closely with business development and legal to assist with security compliance requirements. • Assist with identifying and implementing international security compliance. • Develop, review, and update information security policies and procedures, such as the Vulnerability and Patch Management Procedure and Data Center Access Procedure. • Ensure policies are communicated and enforced throughout the organization, including through security awareness training. • Participate in the day-to-day operations of the security team and manage security tools and technologies, including Check Point, SentinelOne, and intrusion detection systems. • Monitor security alerts and respond to incidents, including phishing attempts reported through various tools. • Lead and mentor the security team, reviewing tasks and responsibilities while working closely with the DevOps team members. • Evaluate and manage security vendors, including VDA Labs, KnowBe4, reviewing security agreements and contracts. • Perform vendor audits and maintain required documentation. • Develop and deliver security awareness training to employees, including utilizing KnowBe4, TalentLMS, and internal training programs. • Provide onboarding training for new employees. • Develop and manage the security budget, planning and prioritizing security projects, including funding for tools and conferences.

• Serve as an acting CISO for portfolio companies when needed • Build or mature cyber programs, including strategy, roadmap, governance • Run or oversee major incidents, bringing structure and calm during chaotic situations • Assess cyber maturity, identify improvements, and develop action plans • Design and execute end to end security programs across various dimensions • Advise CEOs and boards on cyber strategy and organizational design