[Hiring] Principal Vulnerability Management Analyst @UKG

Role Description

We are seeking a Sr. Staff Security Researcher who finds and fixes security vulnerabilities — and builds AI-powered automation to do it at scale. This is a hands-on technical role. You will audit source code, discover novel vulnerabilities in UKG's products and infrastructure, develop working proof-of-concept exploits, drive remediation with engineering teams, and build AI-assisted tools that accelerate every phase of that lifecycle.

The ideal candidate is someone who has found real bugs in real products, written real exploits, and built real tools — not someone who writes policies about how other people should do those things. You will be expected to produce tangible security outcomes: vulnerabilities found, vulnerabilities fixed, and automation that makes the next round faster.

Key Responsibilities

• Vulnerability Discovery & Security Research (35%)
  • Conduct deep-dive source code audits of UKG products (Java, .NET, Python, JavaScript) to discover novel vulnerabilities — examples could be hardcoded secrets, authentication bypasses, injection flaws, cryptographic weaknesses, access control gaps, unsafe deserialization, etc.
  • Develop working proof-of-concept exploits that demonstrate real impact — not theoretical risk, but provable exploitation with clear data exposure or access escalation.
  • Perform variant analysis: when you find a bug, systematically search the entire codebase for every instance of the same root cause pattern.
  • Triage and validate findings from automated scanners (SAST, DAST, SCA) — separate real vulnerabilities from false positives using source-level analysis.
  • Investigate and reproduce externally reported vulnerabilities (bug bounty, CVEs, vendor advisories) to assess actual exploitability in UKG's environment.
  • Collaborate with engineering teams on remediation — not just filing tickets, but working with developers to design, validate fixes, and drive to remediation.
• AI-Powered Vulnerability Automation (40%)
  • Build AI-assisted vulnerability discovery tools using automation (Claude, MCP servers, custom models, etc) for automated source code analysis, vulnerability pattern matching, and exploit generation.
  • Develop autonomous security scanning agents that can analyze codebases, identify vulnerability patterns, and produce validated findings with minimal human intervention.
  • Create AI-powered remediation tools — automation that generates fix recommendations, patches, and pull requests for discovered vulnerabilities, accelerating the path from finding to fix.
  • Build automated vulnerability lifecycle pipelines: intake from scanners, AI-assisted triage and deduplication, intelligent ticket routing, SLA tracking, and remediation verification.
  • Contribute to the team's shared automation repositories and Claude Code skills store — every tool you build should be reusable by the rest of the team.
• Vulnerability Management & Remediation Driving (20%)
  • Own vulnerability remediation outcomes for assigned product areas — track findings from discovery through verified fix, holding engineering teams accountable to SLAs.
  • Produce clear, actionable vulnerability reports that engineering teams can act on immediately — root cause, impact, reproduction steps, and recommended fix.
  • Drive mean time to remediate (MTTR) down through better automation, better reports, and direct collaboration with development teams.
  • Support vulnerability management program metrics and dashboards — contribute to reporting that gives leadership real-time visibility into risk posture.
  • Support compliance-driven vulnerability management requirements, including FedRAMP continuous monitoring and POA&M processes, as UKG expands into federal markets.
• Research & Knowledge Sharing (5%)
  • Publish internal/external research on novel vulnerability classes, AI-assisted discovery techniques, and lessons learned from audits.
  • Stay current on emerging vulnerability classes, exploitation techniques, and defensive patterns relevant to UKG's technology stack.
  • Mentor other team members on vulnerability research methodology, source code analysis, and AI-augmented security tooling.

Qualifications

• 7+ years of hands-on experience in vulnerability research, application security, or penetration testing — with a track record of finding real vulnerabilities in production software.
• Demonstrated ability to read and audit source code in at least two of: Java, C#/.NET, Python, JavaScript/TypeScript, Go, C/C++.
• Experience developing working proof-of-concept exploits — not just scanning, but understanding root causes and proving exploitability.
• Strong proficiency in Python for building security tools, automation pipelines, and integrations.
• Experience with AI/ML tools for security — using LLMs for code analysis, building AI-assisted security tooling, or developing autonomous security agents.
• Deep understanding of common vulnerability classes: injection (SQL, command, LDAP), broken authentication, cryptographic failures, SSRF, deserialization, path traversal, access control, and their variants.
• Experience with vulnerability management programs — triaging, tracking, and driving remediation of vulnerabilities across engineering organizations.
• Ability to work directly with development teams — explaining vulnerabilities, reviewing proposed fixes, and validating remediations.
• Excellent written communication — ability to produce clear vulnerability reports, technical documentation, and executive summaries.
• Bachelor's degree in Computer Science, Cybersecurity, or equivalent experience.

Preferred Qualifications

• Published CVEs, security advisories, or bug bounty findings in production software.
• Experience in SaaS/multi-tenant environments processing sensitive data (HCM, payroll, healthcare, financial).
• Familiarity with SAST/DAST/SCA tooling and how to reduce false positive rates through source-level validation.
• Experience with cloud security assessment (AWS, GCP, Azure) including container and Kubernetes vulnerability analysis.
• Familiarity with FedRAMP, NIST SP 800-53, or federal compliance frameworks — enough to understand vulnerability remediation timelines and reporting requirements in regulated environments.
• Security certifications that demonstrate hands-on skill: OSCP, OSWE, GWAPT, GXPN, BSCP, or equivalent.
• Conference presentations, published research, or open-source security tool contributions.
• Experience with reverse engineering, binary analysis, or firmware security.

Benefits

• UKG offers a comprehensive total rewards package including competitive base salary, annual bonus, equity, full medical/dental/vision, 401(k) match, unlimited PTO, and professional development budget.
• This role is eligible for remote work anywhere in the US.