Overview
Fred Hutchinson Cancer Center is an independent, nonprofit organization providing adult cancer treatment and groundbreaking research focused on cancer and infectious diseases. Based in Seattle, Fred Hutch is the only National Cancer Institute-designated cancer center in Washington.
With a track record of global leadership in bone marrow transplantation, HIV/AIDS prevention, immunotherapy and COVID-19 vaccines, Fred Hutch has earned a reputation as one of the world’s leading cancer, infectious disease and biomedical research centers. Fred Hutch operates eight clinical care sites that provide medical oncology, infusion, radiation, proton therapy and related services, and network affiliations with hospitals in five states. Together, our fully integrated research and clinical care teams seek to discover new cures to the world’s deadliest diseases and make life beyond cancer a reality.
At Fred Hutch we value collaboration, compassion, determination, excellence, innovation, integrity and respect. Our mission is directly tied to the humanity, dignity and inherent value of each employee, patient, community member and supporter. Our commitment to learning across our differences and similarities make us stronger. We seek employees who bring different and innovative ways of seeing the world and solving problems.
As a senior member of the Information Security Operations team, you will anchor the organization’s Vulnerability Operations (VulnOps) practice, serving as a subject matter expert who owns the discover, prioritize, remediate, and validate loop end to end. You will drive risk-based exposure management, mentor junior team members, and shape how Fred Hutch identifies, assesses, and orchestrates the remediation of vulnerabilities across a complex hybrid estate.
We are looking for a Vulnerability Operations Engineer to mature our exposure management program beyond scan-and-patch toward exploitability-in-context prioritization.
Reporting to the Director of Information Security Engineering & Operations, you will scope and run scanning across cloud and on-premises assets, validate and triage findings, separate noise from materially risky exposure, and translate results into clear, owner-assigned remediation that actually gets fixed. You will partner closely with Fred Hutch architecture, development, systems engineering, and network engineering teams to embed vulnerability checks into their workflows, build automation that scales the program, and raise our level of compliance with information security standards. If this sounds like you, come help Fred Hutch in the fight against cancer and infectious disease by reducing the attack surface that protects our research and our patients! This role will have the opportunity to work partially at our campus and remotely. Evening and/or weekend work may occasionally be required.
Responsibilities
- Own the vulnerability management lifecycle end to end—asset scoping, scanning, validation, triage, and remediation tracking—across cloud, on-premises, and hybrid environments.
- Lead risk-based, exploitability-in-context prioritization that separates noise from materially risky exposure, combining CVSS with EPSS, CISA KEV, and vendor advisories along with asset and reachability context, rather than ranking by raw score alone.
- Interpret scan results at scale: filter false positives, correlate findings with exploitability and active threat intelligence, and translate them into clear, prioritized tickets with named owners and actionable remediation guidance.
- Build, tune, and maintain the exposure management toolchain—evaluating and integrating vulnerability scanners, attack-surface and asset-graph tooling, and exposure management platforms for operational fit.
- Design and run remediation orchestration: set patch SLAs by risk tier, drive remediation campaigns (for example, end-of-life asset cleanup and TLS/certificate uplift), and keep multiple remediation streams moving across the teams that own the fix.
- Develop and maintain automation and scripting (Python, PowerShell, Bash) to de-duplicate findings, enrich them with CMDB and asset data, and push outputs into ticketing and notification systems instead of working from static reports.
- Integrate vulnerability operations into operational workflows through APIs for scanners, CMDB, and ITSM platforms, and partner with DevOps and engineering teams to embed vulnerability and infrastructure-as-code checks into CI/CD pipelines.
- Maintain a runtime-validated, identity-aware view of the asset estate, working toward reachability analysis that can answer which assets an identity can reach and which identities can reach a given asset.
- Operationalize software supply chain visibility—keeping SBOMs queryable and current so exposure to a newly disclosed component vulnerability can be answered in minutes rather than days.
- Define and maintain repeatable exception, risk-acceptance, and revalidation processes, ensuring accepted risk is documented, time-bound, and periodically re-reviewed.
- Build and report program metrics that turn raw findings into managed exposure—mean time to remediate, percentage of criticals closed within SLA, exploitability-weighted backlog, and exposure by business unit—including executive- and board-ready summaries that emphasize trend over point-in-time numbers.
- Apply AI-assisted tooling where it adds leverage—for example, to accelerate triage, enrichment, exploit reasoning, and code or configuration review—while maintaining human validation and sound judgment over automated findings.
- Serve as the subject matter expert for the vulnerability operations domain, providing technical guidance and mentorship to Level I and Level II engineers.
- Align vulnerability operations with threat intelligence and active incidents, prioritizing exposures under active exploitation and supporting incident response when a vulnerability is implicated.
- Contribute to compliance audits and assessments (HIPAA, NIST, CIS), ensuring vulnerability management controls meet regulatory and institutional requirements, and participate in on-call rotation as an escalation point for high-priority exposures.
Qualifications
MINIMUM QUALIFICATIONS:
- Bachelor’s degree or equivalent work experience in a technical discipline related to Information Technology
- Minimum 7 years hands-on information security experience, including experience conducting technical and non-technical risk assessments
- Strong knowledge of information security risk management and information security technologies (e.g. SIEM, vulnerability management, data loss prevention, and/or endpoint protection)
- Proven track record and experience interpreting information security policies and procedures and successfully communicating with non-security workforce.
- Understanding of compliance and regulatory requirements such as HIPAA and PCI
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
PREFERRED QUALIFICATIONS:
- Strong, hands-on command of the vulnerability management lifecycle: asset scoping, scanning, validation, triage, and remediation tracking.
- Fluency with CVSS and related scoring and metadata (EPSS, CISA KEV, vendor advisories), with the judgment to separate noise from materially risky exposure.
- Working knowledge of common infrastructure and application vulnerability classes (e.g., injection, deserialization, RCE, misconfiguration, weak cryptography, default credentials) and how they are actually exploited.
- Demonstrated ability to interpret scan results, filter false positives, correlate findings with exploitability, and produce clear, prioritized, owner-assigned remediation.
- Solid grasp of network architecture (subnets, routing, network zones and segmentation) and of OS internals and hardening across Windows and Linux.
- Working knowledge of cloud platform security controls (AWS, Azure, or GCP) and how cloud misconfigurations surface as exposure.
- Scripting and automation experience (Python, PowerShell, or Bash) to enrich, de-duplicate, and route findings into ticketing and operational workflows.
- Experience mapping vulnerabilities to business impact, regulatory requirements, and internal policy, including risk-tiered patch SLAs.
- Strong written and verbal communication, with the ability to write concise tickets and executive-friendly summaries and to facilitate remediation working sessions across teams.
- Demonstrated ability to mentor and guide junior team members.
- Advanced security certifications such as GIAC GEVA (Enterprise Vulnerability Assessor), GIAC GCIH, CISSP, or equivalent.
- Vendor-specific vulnerability scanner or exposure management certifications, or equivalent.
- Familiarity with SOAR or orchestration tooling (e.g., Ansible, Tines, or custom pipelines) to automate scanning, tagging, and remediation workflows.
- Experience with cyber asset attack surface management (CAASM) or asset-graph approaches that join asset and identity data.
- Experience with application security tooling and concepts (SAST, DAST, SCA) and the discover–prioritize–remediate–validate loop as it extends into the software development lifecycle.
- Proficiency with infrastructure-as-code tools (Terraform, CloudFormation) and container orchestration (Kubernetes, Docker).
- Experience developing security tooling and integrations using Python, Go, or similar languages.
- Experience using AI-assisted tooling for vulnerability triage, exploit reasoning, enrichment, or code review, with appropriate human validation.
- Experience with threat intelligence platforms and exploit-intelligence sources.
- Experience in a healthcare, biomedical research, or academic environment.
The annual base salary range for this position is from $120,931 to $191,131, and pay offered will be based on experience and qualifications.Although Fred Hutch is not sponsoring most H-1B visas at this time, candidates who already hold an H-1B sponsored by another organization and are currently in the U.S. may be eligible for this position.
Fred Hutchinson Cancer Center offers employees a comprehensive benefits package designed to enhance health, well-being, and financial security. Benefits include medical/vision, dental, flexible spending accounts, life, disability, retirement, family life support, employee assistance program, onsite health clinic, tuition reimbursement, paid vacation (12-22 days per year), paid sick leave (12-25 days per year), paid holidays (13 days per year), and paid parental leave (up to 4 weeks).