Attack Surface Management Jobs (NOW HIRING)

Calling all innovators - find your future at Fiserv.

We're Fiserv, a global leader in Fintech and payments, and we move money and information in a way that moves the world. We connect financial institutions, corporations, merchants and consumers to one another millions of times a day - quickly, reliably, and securely. Any time you swipe your credit card, pay through a mobile app, or withdraw money from the bank, we're involved. If you want to make an impact on a global scale, come make a difference at Fiserv.

Job Title

About your role:

You will help advance our cybersecurity program from traditional vulnerability management to a more mature exposure management approach. Operating within the Attack Surface Management team, this role focuses on identifying the exposures that matter most to the business, validating exploitability, and driving measurable reduction of real risk to critical business services through strong technical analysis and cross-functional influence.

What you'll do:

• Analyze how individual exposures chain into viable attack paths toward critical assets, shifting prioritization from isolated findings to path-based risk.
• Build and operate a threat-informed prioritization model that incorporates exploit availability, active campaigns, and exploitation-in-the-wild indicators to rank exposures by real-world risk.
• Map exposures to crown-jewel assets and critical business services so remediation priorities reflect business impact, not just technical severity; define and report metrics that demonstrate exposure reduction over time, including mean time to remediate by risk tier, attack-path closure, and reduction in exploitable exposure.
• Validate whether prioritized exposures are exploitable and reachable using attack-path analysis, breach-and-attack simulation, and offensive security and penetration testing findings.
• Assess whether existing compensating controls meaningfully reduce likelihood of impact before remediation is mandated; translate red-team, purple-team, and penetration-testing findings into validated exposure priorities.
• Maintain visibility across external, cloud, SaaS, and identity attack surfaces, coordinating with peer teams that own the underlying platforms.
• Drive remediation across infrastructure and security partner teams, including Endpoint, Network, Cloud, and IAM, by establishing ownership, SLAs, and escalation paths for risk that crosses organizational boundaries.
• Produce technical and executive reporting on exposure trends and risk reduction, framed in business-risk terms for governance and senior leadership audiences.

Experience you'll need to have:

• 8+ years of experience in vulnerability management, attack surface management, exposure management, offensive security, or closely related disciplines.
• Demonstrated experience leading security programs or initiatives with governance, metrics, and cross-functional stakeholder engagement.
• Strong ability to assess attack paths, exploitability, and business impact beyond CVSS scoring and ticket-based vulnerability tracking.
• Practical experience incorporating threat intelligence and exploit data, including EPSS, CISA KEV, and exploitation-in-the-wild reporting, into prioritization decisions.
• Solid understanding of vulnerabilities and exposures across operating systems, networks, cloud environments, identity platforms, and applications, and how they combine into attack paths.
• Proven ability to drive remediation and influence cross-functional teams without direct authority while balancing security priorities and operational realities.
• Familiarity with the Gartner CTEM model, MITRE ATT&CK, and vulnerability scoring and prioritization standards such as CVSS, EPSS, and CISA KEV.
• Strong written and verbal communication skills with the ability to translate technical exposure into business risk for engineering, governance, and executive audiences.

Experience that would be great to have:

• Experience working within an enterprise Attack Surface Management function.
• Familiarity with breach-and-attack simulation platforms and offensive security validation techniques.
• Experience managing exception and risk-acceptance processes with formal governance and time-bound review cycles.
• Knowledge of exposure reporting practices for executive, governance, and board-adjacent audiences.
• Experience coordinating remediation campaigns for systemic exposures across large, complex technology environments.

How you'll work:

• This role is on-site Monday through Friday. Fiserv considers in-person collaboration to be an essential part of this role as in-person office experiences help you with your overall onboarding experience and leads to stronger productivity.

Travel:

• Approximately 10% travel off-site or to other office locations is expected.

Sponsorship:

• You must currently possess valid and unrestricted U.S. work authorization to be considered for this role. Individuals with temporary visas including, but not limited to, F-1 (OPT, CPT, STEM), H-1B, H-2, or TN, or any candidate requiring sponsorship, now or in the future, will not be considered.

#LI-RM1

Salary Range

These pay ranges apply to employees in New Jersey and New York. Pay ranges for employees in other states may differ.

It is unlawful to discriminate against a prospective employee due to the individual's status as a veteran.

Thank you for considering employment with Fiserv. Please:

• Apply using your legal name
• Complete the step-by-step profile and attach your resume (either is acceptable, both are preferable).

Our commitment to Equal Opportunity:

Fiserv is proud to be an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, national origin, gender, gender identity, sexual orientation, age, disability, protected veteran status, or any other category protected by law.

If you have a disability and require a reasonable accommodation in completing a job application or otherwise participating in the overall hiring process, please contactAskHR.US@fiserv.com. Please note our AskHR representatives do not have visibility to your application status. Current associates who require a workplace accommodation should refer to Fiserv's Disability Accommodation Policy for additional information.

Note to agencies:

Fiserv does not accept resume submissions from agencies outside of existing agreements.Please do not send resumes to Fiserv associates. Fiserv is not responsible for any fees associated with unsolicited resume submissions.

Warning about fake job posts:

Please be aware of fraudulent job postings that are not affiliated with Fiserv. Fraudulent job postings may be used by cyber criminals to target your personally identifiable information and/or to steal money or financial information. Any communications from a Fiserv representative will come from a legitimate Fiserv email address.