Service Delivery Manager - Apple Information Security

Apple Information Security is seeking an experienced security engineering manager to lead the Vulnerability Response team across the United States and EMEIA regions. Apple's external perimeter spans thousands of services relied upon by billions of users worldwide, and this team is responsible for continuously identifying, analyzing, and remediating vulnerabilities across that surface. You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule development, emerging threat response, and custom security\\ntooling. \\n\\nYou will play a critical role in protecting Apple's services and customers by ensuring timely and thorough response to security risks, fostering engineering excellence, and driving strategic initiatives that strengthen Apple's overall security posture. This role is both strategic and operational, requiring deep technical expertise, strong leadership, and the ability to manage a geographically distributed team operating in a continuous response environment.

As a manager on the Vulnerability Response team, you will lead the day-to-day operations of security engineers across the US and EMEIA regions, as well as oversee resources providing around-the-clock support. You will set team priorities, drive execution across multiple concurrent programs, and ensure operational continuity for a function that requires uninterrupted coverage. This includes direct participation in on-call escalation rotations, hands-on technical contributions such as penetration testing, variant analysis, security tool development, and strategic planning to evolve the team's capabilities over time.\n\n\nYou will partner closely with teams across Apple to ensure coordinated and effective vulnerability response. You will represent the team in cross-functional forums, advocate for security improvements with engineering leadership, and contribute to the development of policies, processes, and tooling that scale the team's impact. You will also maintain the professional standards and reputation through oversight of researcher engagement,\nvulnerability adjudication, and program communications.

8+ years of experience in information security, with demonstrated expertise in vulnerability management, web application penetration testing, and incident response for large-scale internet-facing services, including 3+ years of people management experience leading and developing teams of security engineers.\n\nStrong technical proficiency in web application security, including hands-on experience identifying and remediating common vulnerability classes, and software development skills in one or more of Python, Go, or Bash.\n\nExperience managing or contributing to a vulnerability disclosure or bug bounty program, including researcher engagement, vulnerability validation, and coordinated disclosure processes.\n\nExperience with vulnerability scanning tools and methodologies at enterprise scale, including both commercial and open-source solutions.\n\nDemonstrated ability to manage geographically distributed teams across multiple time zones, with willingness to participate in on-call rotations, including weekends, as part of a tiered escalation model.\n\nExcellent written and verbal communication skills, with the ability to articulate complex security issues and risk to both technical and non-technical audiences.

Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent professional experience.\n\nExperience with cloud-native architectures, WAF technologies, and DNS security disciplines, with the ability to assess security implications across modern deployment and infrastructure environments.\n\nBackground in applying AI and machine learning techniques to security operations, including automated analysis, classification, or remediation workflows.\n\nRelevant industry certifications such as CISSP, OSCP, OSCE, GPEN, or equivalent are helpful but not required.