What are the responsibilities and job description for the Security Engineer – Attack Surface Management (ASR) position at Exegy?
About Exegy
Exegy is a global leader in intelligent market data, advanced trading systems, and future-proof technology. Exegy serves as a trusted partner to the complete ecosystem of the buy-side, sell-side, exchanges, and financial services technology firms around the globe. Headquartered in St. Louis with regional offices in North America, the UK/Europe and Asia Pacific, Exegy has the global footprint to deliver world-class support and managed services to its customer base of elite financial market participants.
Job Summary
We are seeking a hands-on Security Engineer – ASR to own and mature our vulnerability management program with a clear mandate to reduce real organizational risk and shrink our attack surface. This role goes beyond scanning and reporting—success is measured by fewer exploitable weaknesses, faster remediation, and sustained risk reduction over time.
The ideal candidate is analytical, persistent, and pragmatic, with the ability to translate vulnerability data into clear, risk-based prioritized actions that engineering and /or IT teams can execute.
Responsibilities
Risk-Driven Vulnerability Management
Technical Experience
Exegy is a global leader in intelligent market data, advanced trading systems, and future-proof technology. Exegy serves as a trusted partner to the complete ecosystem of the buy-side, sell-side, exchanges, and financial services technology firms around the globe. Headquartered in St. Louis with regional offices in North America, the UK/Europe and Asia Pacific, Exegy has the global footprint to deliver world-class support and managed services to its customer base of elite financial market participants.
Job Summary
We are seeking a hands-on Security Engineer – ASR to own and mature our vulnerability management program with a clear mandate to reduce real organizational risk and shrink our attack surface. This role goes beyond scanning and reporting—success is measured by fewer exploitable weaknesses, faster remediation, and sustained risk reduction over time.
The ideal candidate is analytical, persistent, and pragmatic, with the ability to translate vulnerability data into clear, risk-based prioritized actions that engineering and /or IT teams can execute.
Responsibilities
Risk-Driven Vulnerability Management
- Own the end-to-end vulnerability lifecycle: discovery, prioritization, remediation tracking, and validation
- Maintain accurate asset and exposure visibility across endpoints, servers, cloud workloads, SaaS, and internet-facing systems
- Perform regular vulnerability scanning and ad-hoc assessments
- Prioritize remediation based on real-world risk, considering:
- Exploitability and threat intelligence
- Asset criticality and business impact
- Exposure (internet-facing, privileged systems, sensitive data)
- Reduce vulnerability noise by deduplicating findings and focusing teams on what matters most
- Track remediation progress and validate fixes
- Identify and eliminate:
- Unmanaged or unknown assets
- Legacy systems with chronic vulnerabilities
- Misconfigurations that expand attack surface
- Partner with IT and Engineering to:
- Improve patching cadence
- Enforce secure configuration baselines
- Reduce recurring vulnerability patterns
- Recommend compensating controls where remediation is not immediately feasible
- Conduct targeted threat analysis and light threat hunting to identify exploitation attempts and abnormal authentication or privilege activity
- Feed threat intelligence and observed attacker behavior back into vulnerability prioritization
- Improve detection, hardening, and prevention based on findings
- Work closely with IT, Engineering, and Infrastructure teams to drive remediation outcomes
- Translate technical vulnerabilities into clear, actionable risk statements
- Provide leadership with concise, outcome-focused metrics and trend reporting
- Contribute to security standards, procedures, and operational improvements
- Reduction in critical and high-risk vulnerabilities over time
- Mean time to remediate (MTTR)
- Percentage of assets with known ownership and patch coverage
- Reduction in repeat or systemic vulnerabilities
- Demonstrated attack surface reduction (fewer exposed services, unused assets, misconfigurations)
Technical Experience
- 3 years of hands-on experience in security engineering, vulnerability management, or a closely related discipline
- Strong working knowledge of common vulnerability classes, exploitation techniques, and attacker methodologies
- Solid foundation in operating systems, networking concepts, and cloud fundamentals
- Experience using vulnerability scanning, detection, and security monitoring tools to identify and assess risk
- Demonstrated ability to prioritize remediation efforts based on business and technical risk rather than raw finding volume
- Familiarity with how vulnerabilities map real-world attack techniques and threat models
- Working knowledge of widely adopted security frameworks and control sets (e.g., MITRE ATT&CK, NIST CSF, ISO 27001, CIS Controls)
- Ability to contextualize vulnerability findings within broader security, operational, and compliance considerations
- Capable of clearly documenting vulnerability findings, risk rationale, and remediation guidance
- Effective in working with engineering, infrastructure, and IT teams to drive timely remediation
- Comfortable translating technical findings into actionable work items and recommendations
- Experience operating in lean or resource-constrained environments where prioritization and pragmatism are critical
- Exposure to integrating vulnerability findings into ticketing, backlog management, or ITSM workflows
- Relevant security certifications (e.g., Security , CEH, CISSP) or equivalent practical experience are beneficial but are not required