Job Information
SHI Associate Security Consultant - Vulnerability Management in Santa Fe, New Mexico
About Us
Since 1989, SHI International Corp. has helped organizations change the world through technology. We’ve grown every year since, and today we’re proud to be a $16 billion global provider of IT solutions and services.
Over 17,000 organizations worldwide rely on SHI’s concierge approach to help them solve what’s next. But the heartbeat of SHI is our employees – all 7,000 of them. If you join our team, you’ll enjoy:
Our commitment to diversity, as the largest minority- and woman-owned enterprise in the U.S.
Continuous professional growth and leadership opportunities.
Health, wellness, and financial benefits to offer peace of mind to you and your family.
World-class facilities and the technology you need to thrive – in our offices or yours.
Job Summary
The Associate Security Consultant - Vulnerability Management is a critical role within Stratascale’s Adversarial Operations Group, assigned to the Vulnerability Management team. This individual will assist in leading and supporting the development and delivery of a diverse range of exposure management consulting, Vulnerability Management as a Service (VMaaS), and operational service programs to a portfolio of our clients.
Role Description
Conduct day-to-day VMaaS activities, including vulnerability scanning, asset discovery, scan policy configuration, and reporting.
Independently conduct Attack Surface Control (ASC) engagements for a variety of clients, including the use of automated tools and manual micro-penetration testing.
With guidance from more senior consultants, monitor automated penetration testing tooling to identify and validate security weaknesses.
Perform validation of vulnerability findings to eliminate false positives and determine actual risk.
Collaborate with the penetration testing team to conduct further deep-dive testing as needed based on vulnerability discoveries.
Consult and document attack surface, threats, and vulnerability improvements based on the team’s overall assessment of the client’s environment.
Perform assessment and threat modeling against industry best practices to identify control weaknesses and assess the effectiveness of existing controls.
Perform root cause analysis on identified vulnerabilities and attack surface weaknesses to determine technical solutions to be presented to client along with recommendations for remediations.
With guidance from more senior security consultants, collaborate with the client’s security teams to understand mitigation or resolutions for findings discovered by analysts.
Review Stratascale Cyber Threat Intelligence (CTI)-provided threat intelligence for specific threat vectors that align with the client's industry or potentially impact the client by using attack path modeling.
Assist in defining, measuring, and quantifying business risk and vulnerability impacts to clients and their stakeholders.
With guidance from more senior security consultants, provide technical support on remediation, cloud security, governance, compliance, and core infrastructure systems.
With guidance from more senior security consultants, assist customers with strategies, use of platforms, technical and compliance analysis, and implementing automation.
Execute consulting projects by creating and completing deliverables, ensuring client needs and practice obligations are met.
Participate in customer and internal meetings as required, providing technical guidance and facilitating discussions.
Stay educated on new product technologies, industry trends, and emerging capabilities within the practice.
Behaviors and Competencies
Communication: Can effectively communicate technical ideas and information to diverse audiences and collaborate with team members in client communications.
Relationship Building: Can contribute to team initiatives, collaborate with diverse groups, and support effective relationship management.
Self-Motivation: Can take ownership of personal and professional initiatives, collaborate with others when necessary, and drive results through self-motivation.
Negotiation: Can participate in negotiations and work collaboratively with others to drive consensus.
Impact and Influence: Can contribute positively to team goals and support a collaborative, results-driven environment.
Business Development: Can support business development initiatives and collaborate with various stakeholders to contribute to business results.
Emotional Intelligence: Can use emotional information to guide thinking and behavior, manage, and/or adjust emotions to adapt to environments or achieve one's goal(s).
Detail-Oriented: Can manage multiple tasks, maintain a high level of detail orientation, identify errors or inconsistencies at work, and ensure accuracy across all assignments.
Follow-Up: Can take ownership of assigned tasks, collaborate with others in managing follow-ups, and drive results through effective task completion.
Presenting: Can effectively use visual aids and clear communication techniques to present findings and engage both technical and non-technical audiences.
Time Management: Can manage assigned responsibilities effectively, balance competing priorities, and seek guidance when needed.
Analytical Thinking: Can apply analytical techniques to solve problems, draw insights, and clearly communicate findings.
Critical Thinking: Can gather and synthesize information from various sources to support informed problem-solving and decision-making.
Technical Troubleshooting: Can troubleshoot technical problems, collaborate with others to develop solutions, and drive results in problem resolution.
Skill Level Requirements
Experience with Vulnerability Management tools such as Tenable, Rapid7, Qualys, and Tanium to support day-to-day VMaaS delivery activities including scanning, asset management, and reporting. - Foundational to Intermediate
Familiarity with offensive security methodologies and frameworks such as PTES, OWASP (WSTG/MASVS/ASVS), MITRE ATT&CK, and threat modeling to support risk-based testing. - Foundational to Intermediate
Ability to develop exploit proofs-of-concept, reproduce vulnerabilities reliably, and support fix validation; familiarity with exploit development fundamentals is a plus. — Foundational
Reporting and communication skills, including writing technical reports with reproducible steps, risk ratings, and actionable remediation, and contributing to executive summaries with guidance; able to present findings to both technical and non-technical stakeholders. - Intermediate
Familiarity with vulnerability management workflows, responsible disclosure practices, and integration of pen test results into remediation programs and retesting cycles. - Foundational to Intermediate
Proficiency with productivity and documentation tools such as Word, Excel, PowerPoint, and Outlook to produce test plans, findings reports, and final deliverables. - Intermediate
The following skills are preferred, but not required:
Experience supporting penetration tests across networks, web and mobile applications, APIs, wireless, and cloud environments, including participation in scoping, rules of engagement, and debriefs. - Foundational to Intermediate
Familiarity with assessing cloud services (AWS, Azure, GCP) including IAM misconfigurations, storage, serverless, container/orchestration, and cloud networking, with an ability to communicate cloud-specific remediation guidance. - Foundational
Web application testing skills including auth flows, access control, injection, deserialization, SSRF, XXE, business logic abuse, and modern app architectures (SPAs, microservices, GraphQL, WebSockets). - Foundational to Intermediate
Familiarity with social engineering and phishing engagements, including payload development, infrastructure setup, pretexting, and measurement aligned to customer policies and legal constraints. - Foundational
Foundational scripting and automation skills to support testing and proof-of-concept development using Python, PowerShell, Bash, and basic Go or JavaScript as needed. - Foundational to Intermediate
Working knowledge of Active Directory and Azure AD attack paths (Kerberoasting, constrained/unconstrained delegation, ACL abuses, LAPS/MAPS, certificate services) and exposure to simulating enterprise attack chains. - Foundational
Hands-on experience with common offensive tooling and techniques, including reconnaissance, enumeration, exploitation, post-exploitation, lateral movement, and data exfiltration, along with foundational operational security practices. - Foundational to Intermediate
Familiarity with red/purple team exercises and working alongside blue teams to translate findings into detection and hardening recommendations (e.g., SIEM detections, EDR tuning, hardening baselines). - Foundational
Other Requirements
Completed Bachelor’s Degree in a related field or relevant work experience required.
1–3 years of hands-on penetration testing or vulnerability management experience, including exposure to engagements supporting mid-to-large enterprise environments.
Ability to travel to SHI, Partner, and client events, and on-site testing engagements as needed.
Industry certifications preferred (e.g., CPTS, OSCP, PNPT, Security+, CySA+, or vendor-specific VM certifications.)
Demonstrated understanding of legal/ethical considerations, testing authorization, and safe handling of client data.
The estimated annual pay range for this position is $80,000 - $110,000 which includes a base salary and bonus. The compensation for this position is dependent on job-related knowledge, skills, experience, and market location and, therefore, will vary from individual to individual. Benefits may include, but are not limited to, medical, vision, dental, 401K, and flexible spending.
Equal Employment Opportunity – M/F/Disability/Protected Veteran Status