Mid-level Vulnerability Assessments & Infrastructure Specialist - Vulnerability & Attack Surface Management (VASM)

Job Description
At Boeing, we innovate and collaborate to make the world a better place. We're committed to fostering an environment for every teammate that's welcoming, respectful and inclusive, with great opportunity for professional growth. Find your future with us.
The Boeing Company is currently seeking a Mid-level Vulnerability Assessments & Infrastructure Specialist - Vulnerability & Attack Surface Management (VASM) to join the team in Kent, WA; North Charleston, SC; Hazelwood, MO; Mesa, AZ; El Segundo, CA; or Plano, TX.
The Boeing Company is seeking a Mid-level Vulnerability Assessments & Infrastructure Specialist to join the Vulnerability & Attack Surface Management (VASM) team. This hands-on role supports vulnerability management across the Boeing estate and subsidiaries, providing vulnerability risk analysis, application security support, and remediation orchestration for both infrastructure and applications.
The ideal candidate combines practical experience operating enterprise vulnerability assessment platforms, applied application security knowledge, foundational infrastructure and networking skills, and business-context awareness of Boeing's lines of business and subsidiaries.
VASM protects Boeing's global mission by identifying, validating, and driving remediation of vulnerabilities across cloud, datacenter, operational technology (OT), and application environments, including systems managed by Boeing Commercial Airplanes, Boeing Defense, Space & Security, Boeing Global Services, and key subsidiaries and supplier integrations.
You will help close security gaps that could impact safety, supply chain continuity, regulatory compliance, or operational availability.
Position Responsibilities:

• Operate and optimize enterprise vulnerability assessment platforms and AppSec integrations to identify, validate, and prioritize security findings across infrastructure and applications
• Perform technical exploitability analysis and business-impact assessments
• Translate findings into prioritized, operationally feasible remediation actions for engineering, Information Technology (IT), and operations teams
• Contribute to development and operationalization of assessment playbooks, scanning standards, AppSec scanning pipelines (Static Application Security Testing/Software Composition Analysis/Dynamic Application Security Testing (SAST/SCA/DAST), reporting, and automation to improve detection fidelity and remediation velocity
• Execute enterprise processes for scheduled and emergent vulnerability assessments, including infrastructure and application discovery, authenticated scanning, and targeted assessments
• Configure, tune, and maintain vulnerability scanning platforms and AppSec integrations (e.g., Rapid7, Tenable, Qualys, Snyk, Veracode), manage credentials, scopes, schedules, and scan policies
• Investigate findings to distinguish true positives from false positives and to identify environmental/configuration constraints, including container, cloud, and legacy systems
• Correlate vulnerability scanner output with threat intelligence, application findings (SAST/DAST/SCA), and asset criticality to produce contextualized risk ratings and remediation priorities
• Assess exploitability, potential for lateral movement, and operational impact for infrastructure, middleware, and application vulnerabilities
• Create remediation plans and work with system owners, application teams, and subsidiary stakeholders to coordinate fixes, compensating controls, and risk-accepted outcomes
• Track remediation burndown, Service Level Agreements (SLAs), and closure
• Escalate high-risk items and produce executive and technical reports tailored to stakeholder audiences
• Collaborate with VASM, AppSec, DevSecOps, engineering, and IT teams to operationalize new scanning capabilities, integrate AppSec pipelines, and reduce noise through tuning and automation
• Contribute to continuous improvement
• Drive automation of ingestion/correlation pipelines, standardize playbooks and runbooks, and deliver training to remediation owners and subsidiary teams

Basic Qualifications (Required Skills/Experience):

• 5+ years of experience with vulnerability scanning concepts and best practices, and operating enterprise vulnerability assessment platforms such as Rapid7, Tenable, or Qualys
• 5+ years of experience with Linux and/or Windows Security
• 5+ years of experience troubleshooting foundational networking issues (TCP/IP, DNS, routing, firewalls) and performing network scanning and assessments
• 5+ years of experience analyzing vulnerability findings, triaging true vs false positives, and identifying environmental limitations or compensating controls
• 5+ years of experience managing scan configurations, credentials, schedules, and assessment scope within large or distributed environments

Preferred Qualifications (Desired Skills/Experience):

• Active Security+, Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), or vendor/tool-specific certifications
• Experience with application security exposure (SAST/DAST/SCA) and ability to ingest or correlate AppSec findings with infrastructure vulnerabilities
• Experience integrating vulnerability management with AppSec pipelines and DevSecOps toolchains (Continuous Integration/Continuous Deployment (CI/CD) integration, SCA, container scanning)
• Experience with Boeing subsidiaries, mission domains, and supply chain considerations (e.g., Boeing Commercial Airplanes, Boeing Defense & Space, Boeing Global Services, and common subsidiary/supplier systems)
• Experience with vulnerability risk rating methodologies (Common Vulnerability Scoring System (CVSS), Cybersecurity and Infrastructure Security Agency (CISA) Stakeholder-Specific Vulnerability Categorization (SSVC), or organization-specific risk models) and threat intelligence correlation
• Experience scaling or architecting vulnerability management programs in large enterprises and integrating with ticketing/ Configuration Management Database (CMDB) systems (e.g., ServiceNow)
• Experience with cloud environments and cloud-native scanning challenges (Amazon Web Services (AWS)/Azure/Google Cloud Platform (GCP)) and containerized workloads
• Experience enabling self-service vulnerability dashboards and automated exports for business and subsidiary teams
• Experience with regulated or compliance-driven environments and supporting audit or risk frameworks (e.g., National Institute of Standard Technology (NIST), International Organization for Standardization (ISO))

Conflict of Interest:
Successful candidates for this job must satisfy the Company's Conflict of Interest (COI) assessment process.
Drug Free Workplace:
Boeing is a Drug Free Workplace where post offer applicants and employees are subject to testing for marijuana, cocaine, opioids, amphetamines, PCP, and alcohol when criteria is met as outlined in our policies.
Pay & Benefits:
At Boeing, we strive to deliver a Total Rewards package that will attract, engage and retain the top talent. Elements of the Total Rewards package include competitive base pay and variable compensation opportunities.
The Boeing Company also provides eligible employees with an opportunity to enroll in a variety of benefit programs, generally including health insurance, flexible spending accounts, health savings accounts, retirement savings plans, life and disability insurance programs, and a number of programs that provide for both paid and unpaid time away from work.
The specific programs and options available to any given employee may vary depending on eligibility factors such as geographic location, date of hire, and the applicability of collective bargaining agreements.
Pay is based upon candidate experience and qualifications, as well as market and business considerations.
Summary pay range: $115,600 - $167,900
Applications for this position will be accepted until Mar. 20, 2026
Export Control Requirements:
This position must meet U.S. export control compliance requirements. To meet U.S. export control compliance requirements, a "U.S. Person" as defined by 22 C.F.R. §120.62 is required. "U.S. Person" includes U.S. Citizen, U.S. National, lawful permanent resident, refugee, or asylee.
Export Control Details:
US based job, US Person required
Relocation
This position offers relocation based on candidate eligibility.
Visa Sponsorship
Employer will not sponsor applicants for employment visa status.
Shift
This position is for 1st shift
Equal Opportunity Employer:
Boeing is an Equal Opportunity Employer. Employment decisions are made without regard to race, color, religion, national origin, gender, sexual orientation, gender identity, age, physical or mental disability, genetic factors, military/veteran status or other characteristics protected by law.