Manager, Cybersecurity Strategy and Risk

Job Description Manager, Red Team:
Product Security Engineering About Sail Point Sail Point  is the leader in identity security for the cloud enterprise. Built on AI and ML, our Identity Security Cloud Platform delivers the right level of access to the right identities and resources at the right time, matching the scale, velocity, and changing needs of today's modern enterprise.

About the Role You will build and lead a continuous adversarial testing program against SailPoint's next-generation Atlas Platform, using frontier AI as a force multiplier, not a novelty.

A typical day: reviewing results from overnight autonomous testing campaigns, chaining minor vulnerabilities into high-impact proof-of-concept exploits, or handing validated attack playbooks to the CISO's Red Team. You won't write reports that sit in a queue. You will translate adversarial findings into secure design improvements that change how engineering builds software.

About the Team This is a greenfield offensive security unit within Product Security Engineering, reporting to the Director of Engineering Product Security. The team exists to challenge and secure our identity governance systems, AI-powered product features, and core platform services through continuous adversarial validation, not annual pen tests.

Roadmap for Success
30 Days — Assess & Design Complete a comprehensive review of the identity platform architecture, existing security practices, and current attack surface.

Outline the optimal Red Team structure and identify critical hires based on the program's mandate for agentic AI and continuous testing.

Deliver an initial strategic vision and program roadmap, clearly distinguishing this program from traditional penetration testing.
60 Days — Build & Prepare Open recruiting pipelines and begin actively sourcing, screening, and extending offers for initial Red Team members.

Draft rules of engagement in collaboration with Product Security and Engineering leadership.

Complete a preliminary attack surface map of the core identity platform, prioritizing AI product features and agentic orchestration layers.

Formalize the CISO Red Team partnership with a quarterly cadence for method transfer, tooling configurations, and attack playbooks.
90 Days — Initialize & Execute Formally define initial scope and target areas, prioritizing identity platform core and AI features.

Select, deploy, and configure at least one agentic offensive security platform for autonomous source code analysis or vulnerability chaining.

Plan and execute the first short-cycle adversarial campaign, establishing initial operational processes.

Stand up preliminary threat intelligence integration for identity platforms, SaaS infrastructure, and AI/ML attack techniques.
6 Months — Scale & Formalize At least 50% of target headcount onboarded and actively contributing to adversarial campaigns with demonstrated proficiency in agentic AI tooling.

Minimum three distinct continuous adversarial campaigns executed, including dedicated AI product feature testing, producing actionable findings.

Minimum two detailed exploitation narratives resulting in concrete secure design improvements or SSDLC changes by engineering teams.

CISO Red Team proving ground fully established, including at least one joint adversarial exercise completed.
1 Year — Full Maturity & Impact Full team operational capacity with agentic AI as a core capability, not a supplement.

Overnight autonomous campaigns running continuously, delivering prioritized findings daily at 3–5x coverage of team size.

Measurable reduction in high-severity vulnerabilities driven by Red Team findings feeding secure design improvements, threat model updates, and SSDLC enhancements.

Attack methodology continuously reflecting current real-world TTPs, APT campaigns targeting identity providers, supply chain compromise vectors, and emerging AI-specific attack techniques.

What We're Looking For Proven offensive security operator who builds teams, not just finds bugs. You have led or built red team programs, not just executed engagements. You know how to hire offensive engineers, define scope, manage rules of engagement, and translate findings…