Vulnerability Management Analyst

Level

Middle

Department

Other IT Positions

Type

Full Time

Project

bolttech

Locations:

Romania

Remote

Job Details

Posted on:

September 26, 2025

Job ID:

About the Company

Established in 2004, ALLSTARSIT was founded with a clear vision: to enhance the landscape of global IT employment by bridging the gap between companies and skilled professionals. The core belief was that assembling a team shouldn't be hindered by geographical constraints. Fast forward to the present day, ALLSTARSIT stands as an international outstaffing service provider committed to change the way businesses recruit, compensate, and oversee top talent worldwide.

With operational hubs scattered across Europe, Asia, and LATAM, and its headquarters situated in San Francisco, US, the company boasts a workforce of over 1,000 adept professionals. Spanning across more than 20 countries, ALLSTARSIT offers a diverse range of skilled employees across various verticals, including AI, cybersecurity, healthcare, fintech, telecom, media, and so on.

About the Project

bolttech is an international insurtech with a mission to build the world’s leading, technology-enabled ecosystem for protection and insurance. With a full suite of digital and data-driven capabilities, bolttech powers connections between insurers, distributors, and customers to make it easier and more efficient to buy and sell insurance and protection products. A part of Pacific Century Group, bolttech serves customers in multiple markets across North America, Asia and Europe.

In this position you will…

Own the intake, prioritization, and dissemination of security vulnerabilities across bolttech, coordinate scanning across infrastructure, applications and cloud, translate findings into business‑aware risk, and drive closure by engaging system and business owners, while maintaining metrics, KPIs, and executive reporting.

Specialization

Headquarters

Years on the market

Team size and structure

Current technology stack

Required skills:

At least 3 years of hands‑on experience in vulnerability management, threat and vulnerability management or SecOps, with a track record of driving issues to verified closure.
Proven expertise with VM tooling, for example Tenable, Qualys or Rapid7, plus exposure to application and cloud security scanners such as Snyk, container scanning and CSPM.
Strong understanding of prioritisation models, including CVE, CVSS v4.0, EPSS and CISA KEV, and how to apply asset criticality and business context to focus effort.
Practical experience coordinating scans, authenticated and unauthenticated, internal and external, defining safe windows, credentials, scopes and frequencies.
Proficiency with workflow and evidence management, using Jira or similar to route, track, retest and document remediation activities.
Data and automation skills to cleanse data, enrich findings, build dashboards and automate repeatable tasks.
Working knowledge of enterprise platforms, for example AWS, Azure, GCP and Microsoft 365, plus operating system and patching fundamentals for Windows, Linux and macOS.
Familiarity with compliance frameworks, ISO 27001, SOC 2 and PCI DSS, including preparing audit‑ready artefacts for scans, prioritization and retests.
Clear written and verbal communication, able to translate technical issues into business‑relevant risk and influence stakeholders across global teams and time zones.
Education and certifications, degree in Computer Science, Information Security or related field preferred, relevant certifications such as Security+, CySA+, GSEC, or vendor credentials for Tenable, Qualys, AWS, GCP or Azure are a plus.

Scope of work:

Owning the end‑to‑end intake and triage of vulnerabilities from infrastructure and application scanners, code and container security tools, cloud posture sources, bug bounty, and trusted third parties.
Coordinating internal and external, authenticated and unauthenticated scanning, agreeing safe windows, credentials, scopes and frequencies, and ensuring meaningful coverage of internet‑facing and crown‑jewel assets.
Maintaining high‑quality vulnerability data hygiene by mapping findings to assets, applications and owners, deduplicating and suppressing noise according to agreed criteria.
Normalizing and enriching findings in the RBVM platform with business tags, asset criticality and threat intelligence, for example CVSS v4.0, EPSS and CISA KEV, to produce a clear, risk‑based prioritization.
Routing and tracking prioritized work through the agreed workflow and tooling, monitoring status through verification, scheduling retests and keeping records current.
Operating the exception and risk acceptance workflow when required, documenting compensating controls, expiry dates and periodic reviews.
Building and publishing dashboards and reports that show SLA adherence, MTTR, backlog age, KEV and high‑EPSS closure rates, scanner and asset coverage, and owner assignment rates.
Driving continuous improvement by tuning scan policies, credentials and schedules, reducing false positives, refining deduplication and grouping, and improving tagging and risk weights.
Supporting incident response and threat‑driven surges by rapidly identifying exposure, producing owner lists and fast‑tracking high‑risk remediation work.
Maintaining SOPs, standards and knowledge articles for vulnerability management, and preparing audit‑ready evidence for ISO 27001, SOC 2 and PCI DSS where applicable.
Partnering with IT, cloud, product and engineering teams to plan remediation activities and communicate risk and timelines clearly.
Automating repeatable tasks to streamline enrichment, ticket creation and evidence collection.

For you to be successful…

Think risk-first, translating technical findings into clear business impact and priorities.
You are passionate about cybersecurity and turn vulnerability data into meaningful risk reduction for the business.
Communicate effectively with engineers and other stakeholders, using data to influence decisions.
You are collaborative, working across IT, cloud, DevOps and product teams to align remediation plans, timelines and validation steps.
You are meticulous with data hygiene, maintaining accurate asset, owner and finding records, and reducing noise through sensible deduplication and suppression.
You stay current, tracking emerging threats and evolving vulnerability management practices.