Threat & Vulnerability Manager

Role Overview

Responsible for identifying, analysing, and reducing security risk arising from vulnerabilities across a complex enterprise technology environment. The role focuses on threat-informed, risk-based vulnerability management and attack surface reduction, working closely with engineering teams to drive preventative security improvements. This is not a SOC or alert-monitoring role.

Key Responsibilities

• Analyse vulnerability disclosures, exploit activity, and adversary techniques to understand real-world exploitability.
• Translate threat intelligence into prioritised remediation guidance for engineering teams.
• Design, operate, and continuously improve the organisation’s vulnerability management programme.
• Conduct vulnerability assessments across endpoints, infrastructure, applications, and connected devices.
• Validate vulnerability findings to improve accuracy and reduce false positives.
• Prioritise vulnerabilities based on exploitability, asset criticality, and business impact.
• Partner with engineering and platform teams to deliver remediation plans or compensating controls.
• Track remediation progress and demonstrate measurable reductions in risk and exposure.
• Maintain visibility of hardware, software, and services across the environment.
• Identify unmanaged assets, legacy systems, and misconfigurations that increase the attack surface.
• Contribute to secure configuration baselines, hardening standards, and patching strategies.
• Support improvements to endpoint and platform security posture where they materially reduce risk.
• Communicate vulnerability and exposure risk clearly to technical and non-technical stakeholders.
• Produce regular reporting on exposure trends, key risk areas, and remediation effectiveness.

Skills & Experience

Essential

• Strong experience in vulnerability management and risk-based prioritisation.
• Hands-on experience with enterprise vulnerability assessment and endpoint security tools.
• Solid understanding of exploitability, modern attack techniques, and exposure management concepts.
• Ability to translate technical findings into business-relevant risk.