Senior Security Engineer – Attack Surface Management

Location:

As a member of the Cyber Defense team within Corporate Information Security the Senior Exposure Management Engineer is responsible for leading the continuous identification inventory monitoring and reduction of KeyBanks digital and physical attack surface. This role drives the ASM strategy across cloud and on-premises environments combining external threat visibility with internal exposure reduction. The engineer oversees asset discovery vulnerability management and exposure monitoring ensuring exploitable weaknesses are rapidly identified prioritized and remediated based on threat intelligence and business impact. The role involves close collaboration with cross-functional teams to align ASM initiatives with organizational risk priorities and regulatory requirements.

Key Responsibilities

• Attack Surface Reduction: Continuously discover all digital assets including domains IPs cloud buckets APIs endpoints and applications. Develop and implement strategies to reduce exposure across digital assets. Monitor KeyBanks environment to ensure the attack surface is minimal.
• Exposure & Vulnerability Monitoring:
  Lead vulnerability scanning operations and coordinate with patching teams for remediation. Monitor new threats changes to the attack surface and emerging risks using automated tools and threat intelligence feeds. Prioritize vulnerabilities based on asset criticality threat intelligence and exposure risk.
• Risk-Based Prioritization & Remediation:
  Translate technical risk information into actionable insights for business leaders. Enable swift remediation through workflow automation ServiceNow integration and proactive notifications.
• Threat Intelligence Integration:

Collaborate with threat intelligence and Red Teams to incorporate external threat data and validate ASM controls through adversary simulation.

• Governance Reporting and Collaboration:
  Support asset ownership identification and maintain robust accountability frameworks. Offer guidance on governance frameworks and support the creation of remediation playbooks. Collaborate with IT CIS and third-party risk teams to align ASM initiatives with organizational risk priorities.
• Compliance Reporting:
  Define and track key performance indicators for ASM effectiveness (e.g. reduction in exposed assets time to remediate vulnerabilities). Track and report on configuration compliance metrics maintain automated dashboards and provide visibility to stakeholders and leadership.
• Documentation & Audit Support:
  Document configuration changes exceptions and remediation activities. Support internal and external audits by providing evidence of compliance and remediation.
• Process Automation:
  Assist in the development and automation of configuration management and compliance reporting tools and frameworks.
• Knowledge Sharing:
  Share knowledge and best practices with the team through presentations documentation and training sessions. Mentor junior team members to foster a culture of security awareness.
• Incident Response:
  Support incident response and remediation efforts by identifying and correcting misconfigurations and partnering with blue teams to improve detection and response capabilities related to configuration changes and vulnerabilities.

Required Qualifications

• Bachelors degree in computer science cybersecurity or related fieldor equivalent experience.
• 8 years of experience in security engineering attack surface management configuration management or related roles.
• Demonstrated experience in contextualizing vulnerabilities using threat intelligence asset classification and business impact.
• Proficiency with scripting languages such as PowerShell Python or Bash for automation integration and process improvement in security operations.
• Experience with ASM/OSINT tools (e.g. BurpSuite AMASS PassiveTotal SecurityTrails Nuclei Recon-NG GoWitness MassDNS Masscan Shodan Bitsight etc.).
• Proficiency with configuration management tools (e.g. Ansible Chef Puppet)
• Experience with vulnerability management platforms (Tenable Qualys Rapid7 etc.) running vulnerability scans monitoring agent health and maintaining scanner operability.
• Strong understanding of Cisco Windows Linux Kali Linux Oracle Linux and macOS operating systems.
• Hands-on experience with cloud platforms (Google Cloud Microsoft Azure AWS).
• Familiarity with security frameworks and standards (e.g. CIS Benchmarks SCAP NIST CSF MITRE ATT&CK PCI-DSS).
• Experience with ServiceNow security-related modules such as Vulnerability Response & Configuration Compliance.
• Strong data management reporting and communication skills.
• Willingness to travel.

Preferred Certifications

• Certified Information Systems Security Professional (CISSP)
• GIAC Security Essentials (GSEC)
• GIAC Certified Vulnerability Assessor (GCVA)
• Microsoft Certified: Azure Security Engineer Associate
• AWS Certified Security Specialty
• Google Cloud Security Engineer
• Offensive Security Certified Professional (OSCP)

COMPENSATION AND BENEFITS

Please click here for a list of benefits for which this position is eligible.

Key has implemented an approach to employee workspaces which prioritizes in-office presence while providing flexible options in circumstances where roles can be performed effectively in a mobile environment.

Qualified individuals with disabilities or disabled veterans who are unable or limited in their ability to apply on this site may request reasonable accommodations by emailing