Job Description

We are looking for a senior engineer who can apply AI, data analysis, and automation to secure the software supply chain. This is not a “train a model” research role — it’s a practical, hands-on position where you’ll use LLMs, analytics, and automation to detect risks, prioritize fixes, and harden systems ranging from container images to package dependencies. You will turn messy vulnerability and SBOM data into clear, actionable security improvements.

Responsibilities:

• Develop and automate SBOM workflows using open-source and commercial tools (e.g., Syft, Grype, CycloneDX, Dependency-Track).
• Design and integrate LLM-driven solutions for vulnerability detection, CVE classification, and intelligent remediation recommendations.
• Build automated pipelines for continuous ingestion, enrichment, and correlation of CVE and NVD data with internal dependency graphs.
• Implement AI-assisted triage and prioritization logic for vulnerabilities based on context (CVSS, exploitability, package exposure, and runtime telemetry).
• Integrate vulnerability scanning results into CI/CD pipelines and security dashboards (e.g., GitHub Actions, Jenkins, GitLab CI, Jira, ServiceNow).
• Collaborate with security and development teams to automate root cause analysis and recommend mitigation paths using LLMs or knowledge graph–based systems.
• Develop data pipelines and APIs to connect SBOM data, CVE feeds, and vulnerability databases for real-time updates.
• Apply AI/ML techniques to prioritize vulnerabilities, suggest fixes, and detect high-risk patterns across large dependency sets.
• Automate ingestion and normalization of advisories, scanner output, and vendor data for security decision-making.
• Experiment with LLMs to reduce manual triage, generate draft remediation guidance, and summarize vendor notices.
• Provide data-driven recommendations for securing containers, AMIs, ISOs, packages, and third-party dependencies.
• Develop dashboards and metrics (e.g., risk scores, patch coverage, remediation timelines) for engineering and leadership.
• Document workflows and enable other teams to use AI/automation in supply chain security.
• Research and evaluate emerging AI and automation frameworks for software supply chain and vulnerability management.

Qualifications:

• DOD Clearance Eligibility.
• 5+ years of experience in DevSecOps, cybersecurity engineering, or infrastructure automation.
• Solid understanding of software supply chain security concepts (containers, packages, SBOMs, vulnerability management).
• Hands-on experience with SBOM and vulnerability tooling (Syft, Grype, Trivy, Anchore, Dependency-Track, Clair, etc.).
• Strong knowledge of CVE/NVD, CVSS scoring, CWE classification, and vulnerability lifecycle.
• Experience building automation pipelines with Python, Go, or similar languages.
• Familiarity with LLM APIs and frameworks (OpenAI, LangChain, Hugging Face, or similar).
• Experience integrating AI-driven insights into security workflows or ticketing systems.
• Solid understanding of container security, dependency management, and CI/CD environments.
• Experience deploying LLMs or fine-tuning domain-specific models for cybersecurity applications.
• Background in knowledge graph engineering or semantic enrichment of CVE and SBOM data.
• Familiarity with Kubernetes, Terraform, and cloud-native security frameworks (AWS, Azure, GCP).
• Contributions to open-source security automation or SBOM projects.
• Strong written and verbal communication skills, with the ability to translate technical details into actionable insights.

Nice to Have:

• Active Secret or Top Secret Clearance.

Job Tags

Similar Jobs