Senior Security Engineer – Attack Surface Management

As a member of the Cyber Defense team within Corporate Information Security, the Senior Exposure Management Engineer is responsible for leading the continuous identification, inventory, monitoring, and reduction of Key Bank’s digital and physical attack surface. This role drives the ASM strategy across cloud, and on-premises environments, combining external threat visibility with internal exposure reduction. The engineer oversees asset discovery, vulnerability management, and exposure monitoring, ensuring exploitable weaknesses are rapidly identified, prioritized, and remediated based on threat intelligence and business impact.

The role involves close collaboration with cross-functional teams to align ASM initiatives with organizational risk priorities and regulatory requirements.

Attack Surface Reduction:
Continuously discover all digital assets, including domains, IPs, cloud buckets, APIs, endpoints, and applications. Develop and implement strategies to reduce exposure across digital assets. Monitor Key Bank’s environment to ensure the attack surface is minimal.

Lead vulnerability scanning operations and coordinate with patching teams for remediation. Monitor new threats, changes to the attack surface, and emerging risks using automated tools and threat intelligence feeds. Prioritize vulnerabilities based on asset criticality, threat intelligence, and exposure risk.

Translate technical risk information into actionable insights for business leaders. Enable swift remediation through workflow automation, Service Now integration, and proactive notifications.

Collaborate with threat intelligence and Red Teams to incorporate external threat data and validate ASM controls through adversary simulation.

Support asset ownership identification and maintain robust accountability frameworks. Offer guidance on governance frameworks and support the creation of remediation playbooks. Collaborate with IT, CIS, and third-party risk teams to align ASM initiatives with organizational risk priorities.

Define and track key performance indicators for ASM effectiveness (e.g., reduction in exposed assets, time to remediate vulnerabilities). Track and report on configuration compliance metrics, maintain automated dashboards, and provide visibility to stakeholders and leadership.

Document configuration changes, exceptions, and remediation activities. Support internal and external audits by providing evidence of compliance and remediation.

Assist in the development and automation of configuration management and compliance reporting tools and frameworks.

Share knowledge and best practices with the team through presentations, documentation, and training sessions. Mentor junior team members to foster a culture of security awareness.

Support incident response and remediation efforts by identifying and correcting misconfigurations and partnering with blue teams to improve detection and response capabilities related to configuration changes and vulnerabilities.

Bachelor’s degree in computer science, cybersecurity, or related field—or equivalent experience.

8+ years of experience in security engineering, attack surface management, configuration management, or related roles.

Demonstrated experience in contextualizing vulnerabilities, using threat intelligence, asset classification and business impact.

Proficiency with scripting languages such as Power Shell, Python, or Bash for automation, integration, and process improvement in security operations.

Experience with ASM/OSINT tools (e.g., Burp Suite, AMASS, Passive Total, Security Trails, Nuclei, Recon-NG, GoWitness, MassDNS, Masscan, Censys.io, Shodan, Bitsight, etc.).

Experience with vulnerability management platforms (Tenable, Qualys, Rapid7, etc.), running vulnerability scans, monitoring agent health, and…