Lead Security Researcher - VRM (Pennsylvania)
The past year has seen a significant rise in widespread attacks and zero-day vulnerabilities that pose a threat to many organizations. In this elevated threat climate, customers need timely, expert response to high-priority security threats so that they may assess exposure and take actions that make them more secure. Rapid7’s emergent threat response team is a group of vulnerability researchers and cross-functional leaders who work across the company to help customers understand and implement defenses against active and impending security threats.
Our researchers analyze CVEs that are being actively exploited in the wild (or are likely to be exploited soon) and publish both in-depth and high-level analysis on vulnerability and exploit trends. At the same time, we aren’t satisfied with a merely reactive approach to security research—we seek to identify, characterize, and contextualize the vulnerabilities and attack vectors that will turn into tomorrow’s widespread threats (or next month’s, or next year’s). We’re looking for a lead or principal-level researcher to join our team and help define strategic vulnerability research priorities, align cross-functional teams on execution, and help defenders get ahead of the attack curve.
Responsibilities:
Work with the VRM research and product teams to define and execute on longer-term priorities across both n-day and zero-day research. We’re looking for someone who understands vulns, has a point of view on what matters to big swaths of enterprise orgs, and can pitch and develop impactful projects that help our customers advance and position Rapid7 as a leader in the VRM space.
Collaboratively influence and engage cross-functional teams to drive understanding and buy-in for the priorities you’ve identified. Act as a mentor and teacher to your peers and more junior teammates.
Perform and publish root cause analyses of high-priority vulns and potential threats that highlight Rapid7’s attacker-focused approach to vulnerability risk management
Work with our security content engineers to develop vulnerability checks and fingerprints for the very top tier of emergent threats; you’ll primarily act as a consultant in this capacity, but there may also be an occasional need to execute.
Work with the Metasploit team to incorporate new high-value exploits into Metasploit Framework as needed—we believe strongly that defenders benefit from having democratic access to offensive security capabilities in order to understand attacks and test their controls!
Contribute meaningful, story-driven, evidence-backed commentary on the vulnerability landscape to Rapid7’s annual vulnerability intelligence report and other thought leadership vehicles.
Identify and pitch public speaking engagements that raise our profile in the vulnerability research space (optional but a big plus!).
Key competencies:
A clear, specific point of view on vulnerabilities, attack surface area, and exploitation. We have teams at this company who analyze individual threat actors and threat intelligence, but we aren’t one of them. Our purview is vulnerability intelligence—which vulns matter, why they matter, how attacks are going to change (or not), and what defenders can do about it.
Deep understanding of the challenges that vulnerability risk management customers and global organizations face.
A bent toward practicality when defining research priorities. We eschew ivory towers—making research accessible and actionable is what wins customers’ hearts.
Understanding of how urgency and importance can complement each other or detract from one another: Your work will fall into both categories, but you’ll need to know when to counsel patience vs. when to raise alarms.
The ability to tell a clear, compelling story both on paper and in front of an audience.
Enormous empathy, patience, and adaptability, with a healthy dose of boundary-setting for sustainable achievement. This industry can be intense and full of fire drills, but we strive to never, ever spread FUD (fear, uncertainty, and doubt) amongst ourselves or our customers. You’ll be a leader on a cross-functional team who supports each other and advocates relentlessly for customers in an ever-changing threat climate—your insight will help us define what the right responses look like and extend our ability to deliver them without succumbing to hype or contributing to alert fatigue.
What you’ll get:
A remote-friendly team who cares about each other and about the community, who prioritizes open information whenever possible, and who will respect your unique strengths, weaknesses, and boundaries.
The ability to work with and learn from some of the lowest-ego, kindest folks in the exploit development and vuln research business. They’re smart and driven, too, but they are kind to one another and the community first and foremost (always).
A high-visibility role with lots of opportunity for growth and leadership, and a cross-functional leadership team who will cheer you on, brag about your work, and advocate for your point of view.
A manager who will listen to feedback, partner with you on defining a career path that excites and inspires you, and support you in prioritizing work-life balance that keeps you healthy and happy.
The opportunity to be part of a company that’s thinking strategically about its future in the industry and its ability to solve problems for customers. Whatever bumps we hit along the way, Rapid7 cares about accessibility and security achievement for its customers. Both VRM and executive leaders also care deeply about research and open source—and they put their money where their mouths are!