Principal Vulnerability Management Analyst- Eng

Why UKG: At UKG, the work you do matters. The code you ship, the decisions you make, and the care you show a customer all add up to real impact. Today, tens of millions of workers start and end their days with our workforce operating platform. Helping people get paid, grow in their careers, and shape the future of their industries. Thatu2019s what we do. We never stop learning. We never stop challenging the norm. We push for better, and we celebrate the wins along the way. Here, youu2019ll get flexibility thatu2019s real, benefits you can count on, and a team that succeeds together. Because at UKG, your work mattersu2014and so do you. About the Team The Security Research & Innovation (SRI) team within Global Security is a high-impact, automation-first security organization responsible for vulnerability management, security research, and red team operations. This team has an exceptional automation culture u2014 all team members build production automation that eliminates manual work at scale. Our security researchers conduct deep-dive source code audits, discover novel vulnerabilities in UKG products, build AI-powered tools that find and help fix bugs at scale, and drive measurable risk reduction across the entire product portfolio. This team has produced findings that protected thousands of customer environments and built automation platforms that multiply the team's impact far beyond headcount. This position may perform work with the U.S. government therefore: 1. UKG is unable to offer sponsorship for this position. 2. Ideal candidate should be a U.S. Citizen Role Summary We are seeking a Sr. Staff Security Researcher who finds and fixes security vulnerabilities u2014 and builds AI-powered automation to do it at scale. This is a hands-on technical role. You will audit source code, discover novel vulnerabilities in UKG's products and infrastructure, develop working proof-of-concept exploits, drive remediation with engineering teams, and build AI-assisted tools that accelerate every phase of that lifecycle. The ideal candidate is someone who has found real bugs in real products, written real exploits, and built real tools u2014 not someone who writes policies about how other people should do those things. You will be expected to produce tangible security outcomes: vulnerabilities found, vulnerabilities fixed, and automation that makes the next round faster. Key Responsibilities Vulnerability Discovery & Security Research (35%) + Conduct deep-dive source code audits of UKG products (Java, .NET, Python, JavaScript) to discover novel vulnerabilities u2014 examples could be hardcoded secrets, authentication bypasses, injection flaws, cryptographic weaknesses, access control gaps, unsafe deserialization, etc. + Develop working proof-of-concept exploits that demonstrate real impact u2014 not theoretical risk, but provable exploitation with clear data exposure or access escalation + Perform variant analysis: when you find a bug, systematically search the entire codebase for every instance of the same root cause pattern + Triage and validate findings from automated scanners (SAST, DAST, SCA) u2014 separate real vulnerabilities from false positives using source-level analysis + Investigate and reproduce externally reported vulnerabilities (bug bounty, CVEs, vendor advisories) to assess actual exploitability in UKG's environment + Collaborate with engineering teams on remediation u2014 not just filing tickets, but working with developers to design, validate fixes, and drive to remediation. AI-Powered Vulnerability Automation (40%) + Build AI-assisted vulnerability discovery tools using automation (Claude, MCP servers, custom models, etc) for automated source code analysis, vulnerability pattern matching, and exploit generation + Develop autonomous security scanning agents that can analyze codebases, identify vulnerability patterns, and produce validated findings with minimal human intervention + Create AI-powered remediation tools u2014 automation that generates fix recommendations, patches, and pull requests for discovered vulnerabilities, accelerating the path from finding to fix + Build automated vulnerability lifecycle pipelines: intake from scanners, AI-assisted triage and deduplication, intelligent ticket routing, SLA tracking, and remediation verification + Contribute to the team's shared automation repositories and Claude Code skills store u2014 every tool you build should be reusable by the rest of the team Vulnerability Management & Remediation Driving (20%) + Own vulnerability remediation outcomes for assigned product areas u2014 track findings from discovery through verified fix, holding engineering teams accountable to SLAs + Produce clear, actionable vulnerability reports that engineering teams can act on immediately u2014 root cause, impact, reproduction steps, and recommended fix + Drive mean time to remediate (MTTR) down through better automation, better reports, and direct collaboration with development teams + Support vulnerability management program metrics and dashboards u2014 contribute to reporting that gives leadership real-time visibility into risk posture + Support compliance-driven vulnerability management requirements, including FedRAMP continuous monitoring and POA&M processes, as UKG expands into federal markets Research & Knowledge Sharing (5%) + Publish internal/external research on novel vulnerability classes, AI-assisted discovery techniques, and lessons learned from audits + Stay current on emerging vulnerability classes, exploitation techniques, and defensive patterns relevant to UKG's technology stack + Mentor other team members on vulnerability research methodology, source code analysis, and AI-augmented security tooling Required Qualifications + 7+ years of hands-on experience in vulnerability research, application security, or penetration testing u2014 with a track record of finding real vulnerabilities in production software + Demonstrated ability to read and audit source code in at least two of: Java, C#/.NET, Python, JavaScript/TypeScript, Go, C/C++ Experience developing working proof-of-concept exploits u2014 not just scanning, but understanding root causes and proving exploitability + Strong proficiency in Python for building security tools, automation pipelines, and integrations + Experience with AI/ML tools for security u2014 using LLMs for code analysis, building AI-assisted security tooling, or developing autonomous security agents + Deep understanding of common vulnerability classes: injection (SQL, command, LDAP), broken authentication, cryptographic failures, SSRF, deserialization, path traversal, access control, and their variants + Experience with vulnerability management programs u2014 triaging, tracking, and driving remediation of vulnerabilities across engineering organizations + Ability to work directly with development teams u2014 explaining vulnerabilities, reviewing proposed fixes, and validating remediations + Excellent written communication u2014 ability to produce clear vulnerability reports, technical documentation, and executive summaries + Bachelor's degree in Computer Science, Cybersecurity, or equivalent experience Preferred Qualifications + Published CVEs, security advisories, or bug bounty findings in production software + Experience in SaaS/multi-tenant environments processing sensitive data (HCM, payroll, healthcare, financial) + Familiarity with SAST/DAST/SCA tooling and how to reduce false positive rates through source-level validation + Experience with cloud security assessment (AWS, GCP, Azure) including container and Kubernetes vulnerability analysis + Familiarity with FedRAMP, NIST SP 800-53, or federal compliance frameworks u2014 enough to understand vulnerability remediation timelines and reporting requirements in regulated environments + Security certifications that demonstrate hands-on skill: OSCP, OSWE, GWAPT, GXPN, BSCP, or equivalent + Conference presentations, published research, or open-source security tool contributions + Experience with reverse engineering, binary analysis, or firmware security What Sets This Role Apart This is a role for someone who finds bugs, fixes bugs, and builds tools that find more bugs. You will: + Work on a team where every member builds production automation u2014 this is an engineering-first security team, not a compliance shop + Have access to enterprise AI infrastructure (Claude Code, LiteLLM, MCP servers) to build next-generation vulnerability discovery and remediation tools + Audit one of the largest HCM/payroll platforms in the world u2014 protecting tens of thousands of customer organizations and millions of workers' sensitive data + Have direct, measurable impact u2014 your findings directly prevent issues across UKG's entire customer base + Pioneer the use of AI for vulnerability discovery and automated remediation u2014 building tools that change how security research is done at scale + Grow your career in an environment that values builders and doers over process managers and policy writers Compensation & Benefits UKG offers a comprehensive total rewards package including competitive base salary, annual bonus, equity, full medical/dental/vision, 401(k) match, unlimited PTO, and professional development budget. This role is eligible for remote work anywhere in the US. Company Overview: UKG is the Workforce Operating Platform that puts workforce understanding to work. With the world's largest collection of workforce insights, and people-first AI, our ability to reveal unseen ways to build trust, amplify productivity, and empower talent, is unmatched. It's this expertise that equips our customers with the intelligence to solve any challenge in any industry u2014 because great organizations know their workforce is their competitive edge. Learn more at . Equal Opportunity Employer UKG is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, disability, religion, sex, age, national origin, veteran status, genetic information, and other legally protected categories. View The EEO Know Your Rights poster ( UKG participates in E-Verify. View the E-Verify posters here (. It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability. Disability Accommodation in the Application and Interview Process For individuals with disabilities that need additional assistance at any point in the application and interview process, please email . The pay range for this position is $163,900 to $235,550. The actual base pay offered may vary depending on skills, experience, job-related knowledge and work location. In addition to base pay, employees may be eligible to participate in a performance-based bonus plan and to receive restricted stock unit awards as part of total compensation. Learn more about UKGu2019s benefits and rewards at is the policy of Ultimate Software to promote and assure equal employment opportunity for all current and prospective Peeps without regard to race, color, religion, sex, age, disability, marital status, familial status, sexual orientation, pregnancy, genetic information, gender identity, gender expression, national origin, ancestry, citizenship status, veteran status, and any other legally protected status entitled to protection under federal, state, or local anti-discrimination laws. This policy governs all matters related to recruitment, advertising, and initial selection of employment. It shall also apply to all other aspects of employment, including, but not limited to, compensation, promotion, demotion, transfer, lay-offs, terminations, leave of absence, and training opportunities.

Created: 2026-04-03