Vulnerability Management Analyst

We are seeking a Vulnerability Management Analyst (Tenable/Nessus & Metrics) to support vulnerability tracking, remediation coordination, and security metrics reporting in a federal technology environment. This is a junior-level role (1–3 years of experience) focused on execution and coordination, working hands-on with Tenable/Nessus, iPost, Power BI, Excel, and ticketing systems to ensure that vulnerability data is accurate, actionable, and reportable.

Location: Hybrid - Onsite, Arlington, VA, 1 day/week and as needed

Job Type: Full Time

Education: Bachelor’s degree in computer science or Equivalent

Experience: Minimum 1 year of relevant experience

Clearance: Must hold an Active DoD Secret Clearance or higher

Responsibilities

• Run authorized Tenable/Nessus scans using credentialed scan profiles and review exports to identify CVEs, plugin findings, KEV status, EOL/EOS software risks, and affected assets.
• Validate findings as true or false positives, track vulnerability age using first-seen/last-seen dates, and escalate unresolved findings to senior security staff or system owners.
• Support the full vulnerability lifecycle from intake and triage through ownership assignment, remediation tracking, retest/rescan validation, and closure evidence collection.
• Monitor KEV and Critical/High findings against federal remediation timelines (e.g., BOD 22-01) and flag aging, stale, or blocked findings for escalation.
• Build and maintain Power BI dashboards and Excel reports covering vulnerability posture, patch compliance, KEV status, finding aging, and ownership tracking using Power Query, slicers, and basic DAX measures.
• Produce recurring deliverables including Critical/High aging reports, Tenable/iPost reconciliation summaries, EOL/EOS tracking, and executive snapshots; document KPI definitions and data sources.
• Reconcile vulnerability data across Tenable/Nessus, iPost, ServiceNow/CA ServiceDesk, Jira, SharePoint, POA&M trackers, and Excel exports to identify mismatches and coverage gaps.
• Coordinate with security, development, infrastructure, database, and cloud teams and ISSO stakeholders to drive remediation through closure.

Requirements

• 1–3 years of experience in cybersecurity operations, vulnerability management, SOC, cyber GRC, IT operations, or application security support; working knowledge of CVE, CVSS, KEV, false positives, POA&M tracking, risk acceptance, and vulnerability aging.
• Hands-on Tenable/Nessus experience: executing credentialed scans, analyzing plugin output and CVE findings, validating true/false positives, and building dashboards, saved filters, and exports for KEV, Critical/High, EOL/EOS, and aging tracking.
• Intermediate Power BI (Power Query, data modeling, DAX, slicers) and strong Excel skills (pivot tables, VLOOKUP/XLOOKUP, conditional formatting, deduplication) for vulnerability reporting and KPI tracking.
• Experience with iPost, ServiceNow, CA ServiceDesk, Jira, or SharePoint for remediation tracking; ability to reconcile data across multiple tools, identify mismatches, and maintain accurate ownership and evidence records.
• Familiarity with EOL/EOS software tracking, patch compliance, remediation exceptions, risk acceptance documentation, and closure evidence collection.
• Strong attention to detail, comfort working with large and messy datasets, and clear communication skills for translating technical findings into plain-language updates for leadership and non-technical stakeholders.

Preferred Qualifications

• Experience supporting federal cybersecurity programs or regulated environments; familiarity with NIST SP 800-53, RMF, A&A, ATO, POA&M lifecycle management, CISA BOD 22-01, and FedRAMP vulnerability requirements.
• Exposure to DevSecOps and application security tooling: SAST, DAST, SCA, container image scanning, secrets scanning, or Software Bill of Materials (SBOM) analysis.
• Basic understanding of enterprise patching for Windows Server, Windows workstations, .NET Framework, Java JRE, SQL Server, and endpoint agents; familiarity with Splunk or other SIEM platforms.
• Experience developing SOPs, RACI matrices, or workflow documentation in a security or IT operations context.
• Relevant certifications such as CompTIA Security , CySA , CEH, or equivalent entry-to-mid-level cybersecurity credentials.