Expert, Application Security & VMDR

Armis, the cyber exposure management & security company, protects the entire attack surface and manages an organization’s cyber risk exposure in real time. In a rapidly evolving, perimeter-less world, Armis ensures that organizations continuously see, protect and manage all critical assets - from the ground to the cloud. Armis secures Fortune 100, 200 and 500 companies as well as national governments, state and local entities to help keep critical infrastructure, economies and society stay safe and secure 24/7.

Armis is a privately held company headquartered in California.

•

About Armis

Armis is the leading unified asset visibility and cybersecurity intelligence platform—protecting organizations across IT, OT, IoT, and medical environments from unseen cyber risks.

Our AI-powered Armis Centrix™ platform delivers real-time asset intelligence, risk scoring, and automated protection—enabling enterprises to continuously manage exposure across millions of connected devices and applications worldwide.

As Armis continues to scale, we are seeking an Expert in Application Security & VMDR to strengthen our secure development lifecycle while tightly integrating application-layer risk into Armis’ broader vulnerability management, detection, and response strategy.

Role Overview

The Expert, Application Security & VMDR is a hands-on technical leader responsible for architecting, automating, and continuously improving Armis’ application security posture—while ensuring application vulnerabilities are fully integrated into Armis’ VMDR framework.

This role bridges engineering, product security, and vulnerability management, defining how application risks are identified, prioritized, contextualized, and remediated across Armis’ SaaS and on-prem platforms. You will ensure that AppSec findings are not siloed, but instead correlated with asset intelligence, exploitability, exposure, and business impact.

Key Responsibilities

Application Security Leadership

• Lead the Application Security program across all Armis products, embedding security throughout the SDLC.

• Perform secure design and architecture reviews, partnering with engineering teams to identify and mitigate risk early.

• Conduct and lead threat modeling sessions using STRIDE, DREAD, or PASTA methodologies.

VMDR Integration & Vulnerability Lifecycle

• Own application-layer vulnerability management as part of Armis’ VMDR strategy, from detection through remediation and validation.

• Integrate AppSec findings (SAST, DAST, SCA, API testing) into centralized vulnerability workflows, risk scoring, and prioritization models.

• Correlate application vulnerabilities with asset context, exploit intelligence, and business criticality to drive risk-based remediation.

• Track and report VMDR metrics such as MTTD, MTTR, exposure windows, and remediation effectiveness for application vulnerabilities.

Automation & Tooling

• Build and maintain automated AppSec pipelines for SAST, DAST, SCA, and API security testing.

• Collaborate with DevOps to integrate security scanning into CI/CD pipelines (GitHub Actions, Jenkins, Buildkite).

• Partner with Cloud and Infrastructure Security to secure APIs, microservices, and containerized workloads (Docker, Kubernetes).

Engineering Partnership & Enablement

• Develop and maintain secure coding standards and security baselines for React, Node.js, Python, Java, and Go.

• Mentor engineers and security champions; deliver secure coding training and threat modeling workshops.

• Act as a trusted advisor to engineering leadership, translating vulnerabilities into clear risk and remediation guidance.

Compliance & Assurance

• Support compliance and audit readiness including SOC 2, ISO 27001, FedRAMP, and HIPAA, ensuring application risks are documented and managed within VMDR processes.

Required Qualifications

• 7–10+ years of experience in Application Security, Product Security, or Secure Software Engineering.

• Proven expertise in SAST, DAST, SCA, and dependency management tools (e.g., Veracode, Checkmarx, Fortify, Snyk, SonarQube, OWASP Dependency-Check).

• Hands-on coding proficiency in at least two modern languages (Python, JavaScript/TypeScript, Java, Go).

• Strong experience managing vulnerabilities end-to-end, including triage, prioritization, remediation tracking, and validation.

• Deep understanding of OWASP Top 10, CWE, CVE, and exploitability concepts.

• Strong knowledge of CI/CD pipelines, Git-based workflows, and secure build automation.

• Experience with threat modeling, secure architecture reviews, and microservices/API security.

• Ability to clearly communicate technical risk to both engineering teams and business stakeholders.

Preferred Skills

• Experience in a SaaS, cloud-native, or cybersecurity product company.

• Hands-on experience integrating AppSec into broader VMDR or exposure management programs.

• Familiarity with cloud and container security platforms (Prisma Cloud, Wiz, Orca).

• Experience with IaC security (Terraform, CloudFormation).

• Exposure to API Gateway security, OAuth2, token-based auth, and zero-trust architectures.

• Relevant certifications such as OSWE, CSSLP, GWAPT, GWEB, CEH.

Salary range guidance for this position is: $157,000 - $180,000

The salary range listed does not include other forms of compensation or benefits (e.g. i.e. bonuses, commissions, stocks, health insurance benefits, etc.) offered to candidates. Visit our careers site for more information on benefits at Armis

The choices you make in your career journey matter. You want to do interesting work in an important field while also having time to live your life, which is why we place so much value in your life-work balance. Armis sets you up for success with comprehensive health benefits, discretionary time off, paid holidays including monthly me days, and a highly inclusive and diverse workplace. Put your unique experiences and perspective to work in an environment where they will enable you to thrive, grow, and live your life with integrity.

Armis is proud to be an equal opportunity employer. We never discriminate based on race, ethnicity, color, ancestry, national origin, religion, sex, sexual orientation, gender identity, age, disability, veteran status, genetic information, marital status or any other legally protected (or not) status. In compliance with federal law, all persons hired will be required to submit satisfactory proof of identity and legal authorization.

Please click here to review our privacy practices.