Manager, Security Posture Validation - USDS

Responsibilities

About the Team
The Validation and Verification (VnV) organization ensures the security and reliability of our products by validating that security controls are implemented correctly, operating effectively, and delivering measurable risk reduction across the enterprise.

VnV operates across a continuous security lifecycle: Prevent → Assure → Test → Fix → Prove, ensuring that security posture is not only designed and tested, but continuously validated in real-world conditions.

About the Role
We are seeking a Manager of Security Posture Validation (Offensive Security & Privacy) to lead a high-impact team of Penetration Testers, Control Assessors, and Offensive Privacy Engineers. This is a unique hybrid leadership role where you will oversee the validation of technical security controls and systemic resilience through adversary simulation.

You will be responsible for the strategic vision and tactical execution of operations that span cloud infrastructure, web resources, and mobile applications. As a leader, you will bridge the gap between deep technical exploitation (Red Teaming) and systematic control validation (Security Posture), ensuring USDS maintains a world-class defense-in-depth posture.

Responsibilities
- Team Leadership & Development: Lead, mentor, and grow a specialized team of offensive security and privacy engineers. Foster a culture of continuous research, innovation, and ethical hacking.
- Integrated Verification Strategy: Define the roadmap for a unified testing program that combines Adversary Emulation (TTP-based testing) with Control Validation (NIST/ISO-based stress testing).
- Strategic Oversight: Plan and authorize comprehensive testing engagements, including red teaming, application pentesting, and privacy-specific threat modeling across OCI, AWS, and Azure.
- Stakeholder Management: Act as the primary interface for Executive leadership, Legal, Risk & Compliance, and Engineering. Translate complex technical vulnerabilities into actionable business risks.
- Methodology & Governance: Define and maintain Standard Operating Procedures (SOPs) and Rules of Engagement (ROE) for testing modern tech stacks (Kubernetes, Serverless, Mobile).

- Technical Excellence: Remain hands-on when necessary, guiding the team through complex exploitation scenarios, reverse engineering, and the development of custom automation for GRC tooling (e.g., Archer, ServiceNow).
- Remediation Advocacy: Collaborate with Blue Teams and Control Owners to track findings through to completion, providing pragmatic, risk-appropriate recommendations to correct flaws and misconfigurations.
- Metrics & Reporting: Develop and report Key Performance Indicators (KPIs) that demonstrate program effectiveness and organizational risk reduction to the Risk & Compliance teams.

Qualifications

Minimum Qualifications
- Experience: 5+ years in offensive security or privacy disciplines (Red Teaming, Pentesting, Vulnerability Research), with at least 3+ years in a formal people management or lead role.
- Technical Breadth: Proven expertise across Cloud (AWS/Azure/OCI), Mobile (iOS/Android), and Web Application security ecosystems.
- Control Validation: Strong working knowledge of security standards (ISO 27001, NIST 800-53, PCI-DSS) and experience gathering technical evidence to demonstrate compliance.
- Privacy Knowledge: Understanding of privacy-enhancing technologies (PETs) and the ability to apply offensive mindsets to identify data leakage or privacy-control bypasses.
- Coding/Scripting: Proficiency in at least two languages (e.g., Python, Golang, C++, Bash, or Java) for exploit development and tool automation.
- OS Mastery: Advanced knowledge of Windows, *nix, and MacOS environments, including troubleshooting and administration.
- Education: Bachelor's degree in Computer Science, Information Security, Computer Engineering, or a related technical field.

Preferred Qualifications
- Advanced Certifications: A combination of security and privacy certifications (e.g., OSCP/OSEP/GXPN and CIPP/CIPT/CIPM).
- Tooling Expertise: Mastery of industry-standard tools such as Burp Suite Pro, Cobalt Strike, Frida, Objection, MobSF, SQLMap, and Nessus.
- Community Impact: Contributions to the security/privacy community (CVEs, bug bounty recognition, whitepapers, or speaking at conferences like DEF CON or Black Hat).
- Regulatory Expertise: Experience navigating security testing within highly regulated or national security-focused divisions (USDS/FedRAMP).