Enterprise Cybersecurity Vulnerability Risk Analyst

Booz Allen Hamilton is seeking an Enterprise Cybersecurity Vulnerability Risk Analyst for an onsite role in McLean, Virginia. The position anchors the operational lifecycle of vulnerability exceptions, deferrals, appeals, and related risk decisions across enterprise IT and Cyber Risk, translating vulnerability data into clear risk actions. Compensation ranges from USD 99,000 to 225,000 per year and the role requires at least five years of relevant experience along with a high school diploma or GED.

Summary

The role centers on managing the end-to-end lifecycle of vulnerability exceptions, deferrals, and appeals within enterprise IT and Cyber Risk, turning technical findings into actionable risk decisions and accountable actions. It leverages ServiceNow and cross-functional collaboration to track decisions, report trends, and advance remediation and program maturity.

Responsibilities

• Oversee the end-to-end lifecycle of vulnerability exceptions, deferrals, appeals, and related risk decisions.
• Review technical and business justifications, validate mitigating controls, assess risk impact, and determine alignment with standards, risk tolerance, and compliance expectations.
• Collaborate with vulnerability management, cyber architecture and engineering, hosting, network services, business information security officers, technical risk officers, product owners, and system owners to support timely, consistent, and defensible remediation decisions.
• Utilize ServiceNow and related workflow tools to track vulnerability risk decisions, maintain accurate records, identify aging or bottlenecked items, and generate reporting on exception trends, workflow metrics, remediation status, and recurring risk themes.
• Support improvements to the consistency and maturity of the vulnerability exception and deferral program by strengthening intake criteria, decision documentation, escalation paths, and operational reporting.

Requirements

• 5+ years of experience supporting cybersecurity operations, vulnerability management, security findings management, technology risk, cyber risk, or remediation tracking.
• Experience managing the lifecycle of security findings or vulnerabilities, including intake, assignment, tracking, aging, reporting, escalation, remediation coordination, or closure validation.
• Experience evaluating vulnerability deferrals, exceptions, appeals, risk acceptances, or remediation delays, including review of technical and business justifications.
• Experience assessing mitigating controls, service level agreement compliance, risk-based prioritization, or risk-based decisioning for vulnerability findings.
• Experience using workflow platforms such as ServiceNow to manage vulnerability response, risk management, ITSM, CMDB, issue tracking, or remediation workflows.
• Knowledge of vulnerability management concepts, cloud security findings, Cloud Security Posture Management, remediation workflows, and operational risk reporting.
• Ability to translate technical vulnerability data into clear risk summaries, workflow metrics, exception trends, and status updates for technical teams and risk governance forums.
• Ability to coordinate across technical and business teams during fast-paced remediation decision cycles.
• HS diploma or GED.

Technologies

• ServiceNow

Benefits

• Health benefits
• Life benefits
• Disability benefits
• Financial benefits
• Retirement benefits
• Paid leave
• Professional development
• Tuition assistance
• Work-life programs
• Dependent care
• Recognition awards program

Work Model

• Remote: If listed as remote, some in-person work at Booz Allen or a customer facility may be required.
• Hybrid: Regular presence at a Booz Allen facility is expected, with potential visits to customer facilities as needed.
• Onsite: Work primarily from a Booz Allen office or customer facility, with direct collaboration as required by the role.