Vulnerability Manager

Guildhall is supporting a fast-growing technology company specializing in cybersecurity solutions, that are hiring for a Vulnerability Manager to lead its vulnerability management team. This is a senior advisory role sitting at the intersection of deep technical expertise and client-facing consultancy. The Vulnerability Management Consultant is responsible for identifying the right client opportunities, translating complex organisational security requirements into structured programmes, and leading the deployment of FendOps’ vulnerability management solution within client environments.

Key Responsibilities:

Client identification and advisory

• Identify prospective clients across target sectors where vulnerability management maturity gaps create a clear commercial case for the FendOps solution.
  
  
• Conduct discovery engagements with client security and IT leadership to assess their current vulnerability posture, tooling, process gaps, and organisational constraints.
  
  
• Produce advisory outputs – gap analyses, maturity assessments, deployment readiness reports – that build trust and lay the groundwork for commercial engagement.
  
  
• Articulate the business case for structured vulnerability management to non-technical stakeholders, including CISOs, CIOs, risk committees, and procurement leads.

Programme design and deployment

• Translate client requirements into a structured deployment plan for the FendOps platform, covering scope, asset coverage, integration points, prioritisation logic, and reporting cadence.
  
  
• Define the technical prerequisites each client needs in place to onboard effectively: network access and segmentation, asset inventory quality, CMDB readiness, SIEM connectivity, and CI/CD pipeline hooks where applicable.
  
  
• Lead deployment engagements end-to-end – configuring the platform to reflect the client’s asset landscape, risk appetite, SLA requirements, and compliance obligations.
  
  
• Advise clients on how vulnerability management should connect to adjacent functions: incident response workflows, change management, patch governance, threat intelligence feeds, and risk registers.

Process and policy embedding

• Work with client security and IT teams to define or refine vulnerability management policies, remediation SLAs, escalation paths, and exception handling procedures aligned to their regulatory context (ISO 27001, PCI-DSS, NCA ECC, and similar).
  
  
• Design reporting frameworks and KPI sets that give client leadership genuine visibility into risk posture – not just scan outputs – including trending, SLA compliance, and exposure to active threat campaigns.
  
  
• Ensure the deployed programme is operationally sustainable, with clear ownership, escalation accountability, and a model for continuous improvement built in from the start. Cross-functional integration
  
  
• Map how the client’s vulnerability management programme intersects with DevSecOps practices, cloud and container environments, and application security pipelines, and configure the platform accordingly.
  
  
• Advise on integration with ITSM platforms (ServiceNow, Jira, and equivalents) so that remediation workflows are embedded into the client’s existing operational processes rather than running in parallel.
  
  
• Support clients in aligning vulnerability data with their incident response and SOC functions, so that unpatched vulnerabilities surface as context during active investigations. Ongoing advisory and programme optimisation
  
  
• Serve as the trusted advisory point of contact post-deployment, reviewing programme performance, tuning prioritisation logic, and identifying coverage gaps as the client environment evolves.
  
  
• Bring in credible threat intelligence to advise clients on re-prioritisation when active exploitation changes the risk calculus on specific CVEs or asset classes.
  
  
• Contribute internally to FendOps product development by translating client operational feedback into structured requirements that improve the platform over time.

Candidate Profile:

Experience

• 8+ years in information security, with a substantial portion spent leading or owning vulnerability management programmes in complex, multi-environment organisations.
  
  
• Demonstrable experience running the full programme lifecycle: scanning strategy, risk-based prioritisation, remediation coordination, SLA governance, and executive reporting.
  
  
• Background in client-facing roles – consultancy, advisory, or professional services – is strongly preferred. The ability to build trust with technical and non-technical stakeholders is essential.
  
  
• Exposure to regulated environments and the compliance frameworks that shape vulnerability management obligations (ISO 27001, PCI-DSS, SOC 2, NCA ECC, or similar).

Technical depth

• Hands-on familiarity with the major vulnerability scanning and management platforms (Qualys, Tenable, Rapid7) and a clear understanding of their outputs, limitations, and configuration trade-offs.
  
  
• Solid working knowledge of network architecture, operating systems (Windows and Linux), cloud environments (Azure and AWS), and container security (Docker/Kubernetes) sufficient to scope and configure deployments accurately.
  
  
• Understanding of DevSecOps principles and how vulnerability management integrates into CI/CD pipelines and infrastructure-as-code workflows.
  
  
• Familiarity with SIEM, SOAR, ITSM, and CMDB platforms and how they interconnect with a mature vulnerability programme

Advisory and communication skills

• Able to read an organisation quickly: understand its risk appetite, its internal politics, its operational constraints, and how to position vulnerability management within that context.
  
  
• Skilled at translating technical risk into business language – writing and presenting to executive audiences in a way that drives decisions, not just awareness.
  
  
• Structured and consultative in approach: comfortable producing gap analyses, deployment frameworks, maturity models, and programme roadmaps as standalone advisory deliverables.
  
  
• Fluent English (written and spoken) is mandatory. Arabic is an advantage for client engagement across the Gulf.

Certifications

• Relevant certifications that demonstrate depth in vulnerability management, offensive security, or cloud security are valued: GIAC GVMS, OSCP, CISM, CISSP, or cloud-specific security certifications (AWS Security Specialty, AZ-500) are all appropriate indicators.
  
  
• DevSecOps or container security certifications (AZ-400, CCSE) are a plus given the deployment environments clients typically operate in.