Company Overview VulnCheck delivers next-generation exploit and vulnerability intelligence solutions for enterprise, Government and product teams to prevent large-scale remote code execution events with better, faster exploit data, massive-scale real-time monitoring and predictively-built detection artifacts. VulnCheck’s 300M+ unique data from 400+ sources points help vulnerability management and response teams outpace adversaries - autonomously. VulnCheck is an RSAC Innovation Sandbox finalist and a Black Hat Startup Spotlight finalist. Job Summary Are you passionate about advancing the science of vulnerability analysis and threat intelligence? Do you want to join a mission-driven team that delivers real-world impact—and has the resources and technical culture to fuel your curiosity? We’re searching for a Senior Vulnerability Analyst with a deep understanding of the vulnerability management ecosystem, hands-on experience with the CVE process, and expert knowledge in standard frameworks like MITRE ATT&CK, CAPEC, CWE, and CVSS. This is a rare opportunity to leverage your skills and experience as a contributor to, or expert user of, CVE and related MITRE capabilities—while taking your career in vulnerability research to the next level. Location This is a 100% remote role with preference for candidates based in Greater DMV (District of Columbia, Maryland, and Virginia), (Boston) Massachusetts, or (Austin) Texas. Why Join VulnCheck? VulnCheck stands behind its mission to influence how organizations worldwide understand, assess, and remediate security vulnerabilities - and to deliver intelligence-based solutions that change the world. We especially welcome candidates bringing operational or leadership experience from the CVE Program or adjacent efforts—your background is valued here. You’ll be joining a collaborative, supportive environment that values intellectual curiosity, technical mastery, and personal growth. (And more - below) Leverage your expertise: Work on cutting-edge threat intelligence initiatives that matter, alongside the top domain experts in the field. Shape the industry: Influence how vulnerabilities are classified, scored, mapped, and remediated at scale for enterprise customers and for the entire cybersecurity industry. Grow your impact: Collaborate with global partners, lead high-visibility projects, and drive standards across the security community. Innovate and explore: Conduct research and develop tools for automating and improving vulnerability enrichment and mapping. Key Responsibilities Map vulnerabilities: Analyze and map discovered vulnerabilities to MITRE ATT&CK techniques and CAPEC attack patterns with precision and consistency. CWE assignment: Determine and assign accurate CWE (Common Weakness Enumeration) IDs, producing well-documented rationales. CVSS calculation: Authoritatively calculate CVSS v3/v4 base scores, providing transparent, defensible justifications. CVE Processing: Review, draft, and curate CVE Records, ensuring data quality, fidelity, and consistency with CVE Program standards. Collaboration: Liaise with vulnerability researchers, product security teams, and standards communities to ensure best practices and knowledge transfer. Process improvement: Develop and refine workflows and playbooks for vulnerability triage, mapping, and reporting. Mentorship: Share your expertise by mentoring junior analysts and driving team knowledge-sharing initiatives. Required Qualifications Preferred Qualifications Experience contributing to the evolution of vulnerability standards (e.g., participation in CVE Editorial Boards, CAPEC Working Groups, or similar). Familiarity with automation tools or programming/scripting languages (Python, Golang, etc.) for data enrichment or workflow improvement. Published research, whitepapers, or presentations in the field of vulnerability analysis, mapping, or threat intelligence. Benefits Competitive compensation package. Comprehensive, 100% company-paid medical, dental, and vision plans. Flexible work arrangements with the option to work remotely. Dynamic work environment with opportunities for growth and advancement. Access to continuous learning and development programs. Ready to move from enabling the ecosystem to leading its evolution? Apply now and help us protect what matters most!

• Maintain various EPA System security and privacy control implementation deliverables based on a NIST 800-53 rev5 control framework. • Update, maintain, and drive security and privacy documentation designed to protect the cloud- and host-based systems from both internal and external threats. • Review identified cyber security vulnerabilities and assist with the recommendation, documentation, and implementation of appropriate mitigations or countermeasures. • Conduct and support periodic reviews of the information system to ensure compliance with the security and privacy authorization package. • Review, create, and enhance security and privacy documentation to ensure continued compliance with security and privacy requirements. • Coordinate the response to the annual continuous monitoring assessment audit. • Ensure audit evidence are collected, reviewed, and documented, including any risk determinations and plans of actions and milestones. • Identify and notify the program manager when changes occur that might affect the authorization determination for the information system. • Provide analysis of systems, hardware, software, and maintenance needs. • Create and review annually the security- and privacy-related documentation. • Develop, coordinate, and conduct training and tabletop exercises related to continuity of operations, contingency planning, incident handling, awareness, etc. • Update control implementation tools like XACTA to maintain compliance against NIST 800-53 rev 5.

• Execute vulnerability management activities using ACAS, ESS, SCAP tools, and manual validation techniques to confirm findings and reduce false positives. • Conduct application and web vulnerability assessments using tools such as Burp Suite and document results with clear remediation guidance. • Support vulnerability triage and prioritization based on mission impact, exposure, exploitability, and operational constraints. • Support the Vulnerability Disclosure Program (VDP) by managing intake, validation, tracking, and coordination with remediation stakeholders. • Ensure vulnerability findings, evidence, and remediation status are accurately documented and traceable within RMF artifacts (e.g., assessment inputs and POA&M updates). • Support SCAP/STIG-related validation by correlating scan results to configuration baseline requirements and documenting compliance status. • Demonstrate the ability to perform—or a strong willingness to learn—security assessment activities across ACAS, ESS, Burp Suite, VDP workflows, and SCAP/STIG compliance processes. • Cloud Security: Configure and manage AWS Security toolsets (CloudTrail, GuardDuty, Inspector, Security Hub). • Execute DISA STIG compliance activities across operating systems, applications, databases, and network devices • Validate security baselines using SCAP and manual assessment techniques • Identify deviations, document compensating controls, and support risk acceptance requests • Ensure configuration compliance aligns with mission requirements and operational constraints • Maintain and update RMF packages throughout the system lifecycle • Support ATO, IATT, and continuous monitoring activities • Track POA&Ms and remediation actions to completion • Coordinate with Government System Owners, ISSOs, ISSEs, and Authorizing Officials • Support cybersecurity assessments, inspections, and compliance reviews • Support SIEM monitoring and alert analysis • Assist with ESS deployment, configuration, and reporting • Support log analysis, threat detection, and incident response activities • Assist with continuous monitoring and cybersecurity metrics reporting

• Coordinate and execute recurring GRC tasks such as quarterly access reviews, audit evidence collection, and risk register reconciliation. • Document and track completion of control activities and escalate issues where needed. • Assist with internal and external audits, ensuring timely and complete evidence collection and review. • Collaborate with Sales, Legal, and Product teams to lead responses for customer security questionnaires and RFPs, progressively owning more complex requests as your experience deepens. • Maintain and continuously improve a centralized repository of commonly requested security documentation and artifacts (e.g., SOC 2, SIG, CAIQ). • Work closely with a broad array of business leaders to conduct initial and periodic vendor risk assessments, ensuring that third parties meet Rightway's security and compliance standards. • Track and follow up on remediation plans and risk treatment for vendors posing unacceptable risk. • Enable and support automation and optimization of the vendor risk assessment lifecycle using both AI and traditional tooling. • Support the implementation and operationalization of AI risk and governance controls in alignment with ISO/IEC 42001 (AI Management System) and emerging regulatory guidance e.g., CAIA (Colorado AI Act). • Monitor AI systems for compliance with ethical and legal standards.