Senior Security Engineer - Attack Surface Management

Location:
4910 Tiedeman Road, Brooklyn Ohio

As a member of the Cyber Defense team within Corporate Information Security, the Senior Exposure Management Engineer is responsible for leading the continuous identification, inventory, monitoring, and reduction of KeyBank’s digital and physical attack surface. This role drives the ASM strategy across cloud, and on-premises environments, combining external threat visibility with internal exposure reduction. The engineer oversees asset discovery, vulnerability management, and exposure monitoring, ensuring exploitable weaknesses are rapidly identified, prioritized, and remediated based on threat intelligence and business impact. The role involves close collaboration with cross-functional teams to align ASM initiatives with organizational risk priorities and regulatory requirements.

Key Responsibilities
Attack Surface Reduction: Continuously discover all digital assets, including domains, IPs, cloud buckets, APIs, endpoints, and applications. Develop and implement strategies to reduce exposure across digital assets. Monitor KeyBank’s environment to ensure the attack surface is minimal.

Exposure & Vulnerability Monitoring:
Lead vulnerability scanning operations and coordinate with patching teams for remediation. Monitor new threats, changes to the attack surface, and emerging risks using automated tools and threat intelligence feeds. Prioritize vulnerabilities based on asset criticality, threat intelligence, and exposure risk.

Risk-Based Prioritization & Remediation:
Translate technical risk information into actionable insights for business leaders. Enable swift remediation through workflow automation, ServiceNow integration, and proactive notifications.

Threat Intelligence Integration:
Collaborate with threat intelligence and Red Teams to incorporate external threat data and validate ASM controls through adversary simulation.

Governance, Reporting, and Collaboration:
Support asset ownership identification and maintain robust accountability frameworks. Offer guidance on governance frameworks and support the creation of remediation playbooks. Collaborate with IT, CIS, and third-party risk teams to align ASM initiatives with organizational risk priorities.

Compliance Reporting:
Define and track key performance indicators for ASM effectiveness (e.g., reduction in exposed assets, time to remediate vulnerabilities). Track and report on configuration compliance metrics, maintain automated dashboards, and provide visibility to stakeholders and leadership.

Documentation & Audit Support:
Document configuration changes, exceptions, and remediation activities. Support internal and external audits by providing evidence of compliance and remediation.

Process Automation:
Assist in the development and automation of configuration management and compliance reporting tools and frameworks.

Knowledge Sharing:
Share knowledge and best practices with the team through presentations, documentation, and training sessions. Mentor junior team members to foster a culture of security awareness.

Incident Response:
Support incident response and remediation efforts by identifying and correcting misconfigurations and partnering with blue teams to improve detection and response capabilities related to configuration changes and vulnerabilities.

Required Qualifications
Bachelor’s degree in computer science, cybersecurity, or related field—or equivalent experience.
8+ years of experience in security engineering, attack surface management, configuration management, or related roles.
Demonstrated experience in contextualizing vulnerabilities, using threat intelligence, asset classification and business impact.
Proficiency with scripting languages such as PowerShell, Python, or Bash for automation, integration, and process improvement in security operations.
Experience with ASM/OSINT tools (e.g., BurpSuite, AMASS, PassiveTotal, SecurityTrails, Nuclei, Recon-NG, GoWitness, MassDNS, Masscan, Censys.io, Shodan, Bitsight, etc.).
Proficiency with configuration management tools (e.g., Ansible, Chef, Puppet)
Experience with vulnerability management platforms (Tenable, Qualys, Rapid7, etc.), running vulnerability scans, monitoring agent health, and maintaining scanner operability.
Strong understanding of Cisco, Windows, Linux, Kali Linux, Oracle Linux, and macOS operating systems.
Hands-on experience with cloud platforms (Google Cloud, Microsoft Azure, AWS).
Familiarity with security frameworks and standards (e.g., CIS Benchmarks, SCAP, NIST CSF, MITRE ATT&CK, PCI-DSS).
Experience with ServiceNow security-related modules such as Vulnerability Response & Configuration Compliance.
Strong data management, reporting, and communication skills.
Willingness to travel.

Preferred Certifications
Certified Information Systems Security Professional (CISSP)
GIAC Security Essentials (GSEC)
GIAC Certified Vulnerability Assessor (GCVA)
Microsoft Certified: Azure Security Engineer Associate
AWS Certified Security – Specialty
Google Cloud Security Engineer
Offensive Security Certified Professional (OSCP)

COMPENSATION AND BENEFITS
This position is eligible to earn a base salary in the range of $96,000.00 - $181,000.00 annually. Placement within the pay range may differ based upon various factors, including but not limited to skills, experience and geographic location. Compensation for this role also includes eligibility for incentive compensation which may include production, commission, and/or discretionary incentives.
Please click here for a list of benefits for which this position is eligible.

Key has implemented an approach to employee workspaces which prioritizes in-office presence, while providing flexible options in circumstances where roles can be performed effectively in a mobile environment.

Job Posting Expiration Date: 03/23/2026

KeyCorp is an Equal Opportunity Employer committed to sustaining an inclusive culture. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, genetic information, pregnancy, disability, veteran status or any other characteristic protected by law.
Qualified individuals with disabilities or disabled veterans who are unable or limited in their ability to apply on this site may request reasonable accommodations by emailing [email protected].

#LI-Hybrid