Sr. Vulnerability Management Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will  provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview

We are seeking a senior, strategic Vulnerability Management Engineer to lead the evolution and execution of our enterprise-wide vulnerability management program. As our subject matter expert, you will drive strategy, foster a risk-aware culture, and ensure the timely remediation of vulnerabilities across our diverse on-premise and multi-cloud environments. This is a pivotal leadership role focused on transforming vulnerability management into a core information security strength, directly safeguarding our organization's assets and data.

Key Responsibilities:

Strategic Leadership & Program Development:

• Develop and own the enterprise vulnerability management strategy, roadmap, policies, and standards, ensuring alignment with business objectives and regulatory requirements.

• Act as the definitive subject matter expert on vulnerability threats, exploitation techniques, and mitigation strategies, providing thought leadership to the organization.

• Define the organization's risk appetite in collaboration with executive leadership, ensuring the program operates effectively within established risk tolerance levels.

• Mentor and guide junior engineers and analysts, serving as the technical escalation point for complex vulnerability issues.

Operational Excellence & Remediation:

• Lead the end-to-end vulnerability management lifecycle: from asset discovery, scanning, and analysis to reporting and remediation tracking across all on-premise, cloud (IaaS, PaaS, SaaS), and containerized environments.

• Architect, manage, and optimize our suite of vulnerability management tools (e.g., Tenable, Qualys, Rapid7, Wiz, Prisma Cloud) to ensure comprehensive coverage and efficiency.

• Drive automation and continuous improvement within the program to streamline processes and enhance capabilities.

• Partner with IT and engineering teams to maintain a comprehensive and accurate asset inventory, a critical foundation for program success.

Collaboration & Communication:

• Build strong partnerships with Engineering, IT, DevOps, and Application Development teams to drive the timely remediation of vulnerabilities and ensure adherence to SLAs.

• Develop and maintain robust metrics, KPIs, and KRIs to measure program effectiveness and communicate our security posture to technical teams and executive leadership.

• Design and deliver clear, actionable dashboards and reports that translate complex technical data into business-relevant risk insights.

• Champion "shift-left" principles by working with DevSecOps teams to integrate security into the Software Development Lifecycle (SDLC).

Qualifications & Experience

• 8+ years of progressive experience in cybersecurity, with 5+ years specifically dedicated to enterprise-scale vulnerability management in complex, hybrid environments.

• Proven track record of developing, leading, and maturing a successful vulnerability management program with measurable improvements in risk reduction.

• Deep, hands-on expertise with leading vulnerability scanning platforms (Tenable, Qualys, etc.) and cloud security posture management (CSPM) tools (Wiz, Prisma Cloud, etc.).

• Expert understanding of the vulnerability lifecycle, risk assessment, and advanced prioritization techniques (CVSS, EPSS, CISA KEV).

• Proficiency in assessing vulnerabilities across diverse environments, including on-premise infrastructure, multi-cloud platforms (AWS, Azure, GCP), and container technologies (Docker, Kubernetes).

• Exceptional leadership and communication skills, with the ability to influence cross-functional teams and present complex technical concepts to both technical and executive audiences.

Preferred Qualifications:

• Bachelor’s degree in a relevant field (Computer Science, Cybersecurity, etc.) or equivalent extensive experience.

• Experience with scripting languages (Python, PowerShell) to automate tasks and integrate tools.

• Knowledge of "Security as Code" principles and experience integrating security into CI/CD pipelines.

• Familiarity with compliance frameworks (PCI DSS, HIPAA, SOX, NIST) and their impact on vulnerability management.

• Highly desirable certifications: CISSP, CISM, CRISC, GIAC, OSCP, or relevant cloud security certifications.

Recruiter:

Please note that the compensation information is made in good faith for this position only.  It assumes that the successful candidate will be located in markets within the United States that warrant the compensation.  Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Compensation decisions will not be based on a candidate's salary history. You can learn more here.

This job description outlines the primary responsibilities, some essential job functions, and qualifications for the role. It may not include all essential functions, tasks, or requirements. If you are a qualified individual with a disability and you need reasonable accommodation during the hiring process or to perform this role, please contact us at [email protected].

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind.  We believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. Learn more here: EEO | Sunrun