The Vulnerability Assessor II performs ongoing, comprehensive vulnerability assessments of network cybersecurity risks to enable risk management and mitigation activities. Monitors the adequacy of cybersecurity measures for information systems and reports vulnerability findings to CSSP Watch leadership. Utilizes vulnerability data sources such as network discovery, network and host vulnerability scanning, penetration testing, operational exercise data, and compliance inspection reports. Assesses asset conformity to specified security requirements. Identifies security vulnerabilities and exposures.

Required Skills

• Knowledge of Common Vulnerabilities and Exposures (CVEs), cyber threats, and vulnerability mitigation strategies
• Conduct research and analysis to stay up to date with current vulnerabilities, provide detailed risk analysis and potential impact
• Utilize multiple data sources to determine a vulnerability’s security impact on the enterprise
• Analyze, assess, compile, and prioritize vulnerabilities to document and communicate mitigation recommendations
• Communicate written and verbal information in a timely, clear, and concise manner
• Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)
• Understand network security architecture concepts such as topology and protocols
• Understand what constitutes network risk, cyberattacks, and the relationship between threats and vulnerabilities
• Analyze vulnerability scans
• Recognize security implications of vulnerabilities and assess within the context of the risk management process
• Utilize analysis tools, such as Verodin, Nessus, or RedSeal, to identify vulnerabilities
• Write comprehensive risk assessments on vulnerability impacts
• Utilize automated and manual testing methods to validate the vulnerability testing methods; discover inadequate security practices
• Identify secondary effects of vulnerabilities and exposures, as well as the impact of the mitigations applied to them
• Perform after-action reviews of team products to ensure completion of analysis
• Lead and mentor team members as a technical expert

QUALIFICATIONS Four (4) years of relevant experience is required. Candidate may substitute a Bachelor’s degree for two (2) experiential years. One (1) year of demonstrated experience in technical reporting. One (1) year of demonstrated experience in network and threat analysis.

CERTIFICATIONS & TECHNICAL PROFICIENCIES Requires DoD 8570 compliance Information Assurance Technical (IAT) Level I (possess one: A+ CE, CCNA-Security, CND, Network+ CE, SSCP) or Level II (possess one: CCNA Security, CySA+, GICSP, GSEC, Security+ CE, CND, SSCP) certification. Computing Environment (CE) certification requirement can be fulfilled with either Microsoft OS, Cent OS/Red Hat OS CE certifications. Requires successful completion of the Splunk software training course "Fundamentals 1".

About Black Eagle Defense

Black Eagle Defense is a Maryland-based small business that provides Information Technology, Cybersecurity, and related Consulting Services to the private and public sectors. Our team is composed of highly trained professionals with a commitment to continued learning, versatility, and adaptability within the ever-evolving technological landscape.

We are proud to be an Equal Employment Opportunity and Affirmative Action employer.