Vulnerability Operations Engineer - Remote

CentralSquare Technologies is Hero-Grade. As the trusted provider of public sector software in North America, more than 8,000 agencies rely on our comprehensive, cloud-based platform to manage critical operations - from dispatch to records, permitting to payroll. We serve with purpose and stand together with our heroes, committed to supporting the public sector with software built for impact.What We’re AboutAt CentralSquare, we don’t just build software - we power public servants and uplift communities with Hero-Grade Technology. Every line of code, every feature we deliver helps heroes across North America protect, serve, and save lives. When you join us, you become part of a mission-driven team creating technology that makes communities safer and stronger.Your Growth Matters. We believe heroes deserve opportunities to rise. That’s why we invest in your career with mentorship, learning programs, and clear paths for advancement. If you’re motivated, there’s no limit to how far you can go.Your Commitment Deserves Reward. We offer competitive compensation and a benefits package designed to support your life inside and outside of work—tuition reimbursement, parental leave, paid volunteer hours, and unlimited PTO. Plus, our flexible work environment gives you the freedom to balance your heroic work with personal well-being, whether you’re in the office or remote.Join us and help build the tools that power real-life heroes. Together, we make a difference.The RoleCentralSquare is seeking a Vulnerability Operations (VulnOps) Engineer to join our Security team. This is an individual contributor role purpose-built for the post-AI era of vulnerability discovery — where AI models can now find and exploit flaws at machine speed, and reactive patch cycles are no longer sufficient.This role is not an advisory function. The VulnOps Engineer owns the full pipeline from discovery through fix delivery: running AI-powered scanning against CentralSquare's codebases and dependencies on a continuous basis, generating validated fixes, and submitting ready-to-merge pull requests into owning teams' Azure DevOps pipelines. App teams retain code review and merge authority; this role exists to ensure they are never handed a problem without also being handed a solution.Job Duties IncludeProactive Vulnerability DiscoveryOperate and continuously improve an AI-powered scanning pipeline across CentralSquare's first-party codebases, open-source dependencies, and infrastructure componentsUse Claude Code, Veracode, and Orca to conduct ongoing static analysis, software composition analysis (SCA), and cloud posture assessmentsApply reachability analysis to distinguish genuinely exploitable vulnerabilities from theoretical findings, reducing alert fatigue and focusing remediation effort where risk is realMonitor threat intelligence feeds, CVE disclosures, and coordinated disclosure programs (including Project Glasswing patch releases) to identify newly disclosed vulnerabilities affecting CentralSquare's software supply chainFix Development and DeliveryDevelop and validate fixes (code patches, dependency upgrades, configuration changes) using AI coding agents such as Claude Code, verifying resolution without regressions before submissionSubmit validated fixes as pull requests into owning teams' Azure DevOps repositories, with clear documentation of the vulnerability, risk context, and fix rationale to support efficient review and mergeCollaborate with application and infrastructure teams during code review, providing technical context and responding to questions about proposed changesSLA Ownership and Reporting Own the end-to-end SLA lifecycle for all open findings, maintaining real-time tracking of detection, fix submission, and merge status in the vulnerability management systemProactively escalate findings approaching SLA breach with remediation options and risk contextProduce regular reporting on pipeline health, SLA adherence, remediation velocity, and open risk posture for the security leadership teamToolchain and Pipeline MaintenanceOwn the configuration, tuning, and operational health of VulnOps tooling including Veracode, Orca, Claude Code, and Azure DevOps security integrationsIdentify and reduce false positive rates through policy tuning and reachability filtering, ensuring signal quality remains high as scan volume increasesContribute to the development of automated remediation pipelines, including AI-assisted fix generation integrated directly into CI/CD workflowsEvaluate and recommend new tools and capabilities as the AI security tooling landscape evolvesCross-Functional CollaborationWork closely with application engineering, DevOps, and infrastructure teams to ensure fix delivery is efficient and minimally disruptive to development velocityProvide security guidance to engineering teams on secure coding practices and dependency management in the context of AI-accelerated vulnerability discoveryPartner with the Risk and Compliance team to ensure vulnerability data and SLA metrics align with audit and regulatory reporting requirements (NIST CSF, PCI DSS, CJIS)Perform other duties as assignedWhat You'll Bring to NumeratorQualificationsEducation and ExperienceBachelor's degree in Cybersecurity, Computer Science, or Information Technology, or equivalent professional experience5-7 years of professional experience in application security, vulnerability management, or a combined security engineering roleDemonstrated hands-on experience using AI coding agents (Claude Code or equivalent) to find, evaluate, and generate fixes for software vulnerabilitiesTechnical SkillsProficiency with SAST and SCA tooling; direct experience with Veracode strongly preferredExperience with cloud security posture management; direct experience with Orca preferredWorking experience with Azure DevOps for CI/CD pipeline integration and pull request workflowsAbility to read, understand, and write code across at least two languages commonly used in enterprise SaaS environments (e.g., Java, C#, Python, JavaScript/TypeScript, Terraform)Strong understanding of reachability analysis and the ability to apply it to distinguish exploitable findings from theoretical riskFamiliarity with dependency and supply chain security concepts, including SBOM generation and managementWorking knowledge of common vulnerability classes (injection, memory corruption, authentication flaws, insecure deserialization, etc.) and their remediation patternsUnderstanding of security frameworks including NIST CSF and CIS ControlsSoft Skills and Work StyleHighly systematic and process-driven — capable of managing a high volume of concurrent findings without losing precision or letting items fall through the cracksSelf-directed and accountable: this role is measured by fix delivery and SLA outcomes, not activity metricsStrong written communication skills — fix submissions must include documentation that gives owning teams sufficient context for confident, efficient code reviewComfortable working across organizational boundaries, earning credibility with engineering teams through technical quality rather than authorityAble to prioritize effectively under pressure, with clear judgment about when to escalate versus resolve independently CJIS Clearance A required part of the onboarding process for this role involves obtaining CJIS (Criminal Justice Information Services) clearance—a critical credential for safeguarding public safety data. At CentralSquare, we’ll stand with you every step of the way to secure this clearance should you be selected for hire. As part of the process, a comprehensive background check will be conducted, and please note that U.S. citizenship or permanent residency is generally required to obtain CJIS clearance.