Global Security PSIRT Engineer

Job Summary

NetApp is looking for a skilled PSIRT Engineer (IC4) to join our Global Product Security Incident Response Team.
In this role, you will independently handle complex security vulnerabilities across NetApp's storage, cloud, and data management products. You will triage reports, perform technical analysis, drive fixes, and coordinate responsible disclosure.

As an IC4 engineer, you will work on high-impact issues, mentor junior team members, and help mature NetApp's PSIRT processes in alignment with ISO/IEC 30111, ISO/IEC 29147, and FIRST best practices. This is a technical, customer-focused role that directly protects NetApp customers worldwide

Job Responsibilities

Triage, verify, and conduct in-depth technical analysis of vulnerability reports from external researchers, customers, internal teams, and security tools.
Reproduce vulnerabilities in lab environments and assess risk using CVSS (v3.1/v4.0) along with NetApp-specific business and customer context.
Collaborate with engineering teams to drive root cause analysis, develop fixes, mitigations, and workarounds, and validate their effectiveness.
Manage the full vulnerability lifecycle, including embargo handling, coordinated disclosure (CVD), CVE-ID requests, and publication of Security Advisories.
Work with external stakeholders such as security researchers, CERT/CC, and other vendors for multi-party coordination.
Support proactive vulnerability monitoring, threat intelligence, third-party component tracking, and integration with the Secure Development Lifecycle (SDL).
Create clear technical documentation, customer advisories, and leadership briefings.
Mentor junior PSIRT engineers and participate in team on-call rotation.
Contribute to process improvements, tooling, metrics, and PSIRT maturity initiatives.

Job Requirements

Bachelor's degree in Computer Science, Cybersecurity, Engineering, or a related field (or equivalent experience).
5+ years of experience in security engineering, vulnerability management, incident response, or product security.
Strong technical knowledge of operating systems (Linux/Unix), networking, storage systems, and cloud platforms (AWS, Azure, Google Cloud Platform).
Hands-on experience reproducing and analyzing security vulnerabilities.
Solid understanding of CVSS, CVE, CWE, responsible disclosure, and coordinated vulnerability disclosure practices.
Excellent written and verbal communication skills - able to explain complex issues clearly to both technical and non-technical audiences.
Proven ability to work independently and collaboratively in a global team environment.
Preferred Qualifications
Previous experience working in a PSIRT, Product Security, or Vulnerability Management program.
Familiarity with NetApp products (e.g., ONTAP, StorageGRID) or enterprise storage/data management technologies.
Scripting and automation skills (Python, Bash, PowerShell).
Knowledge of SBOMs, software composition analysis, and supply chain security.
Industry certifications such as CISSP, OSCP, or GIAC.
Experience with bug bounty platforms (e.g., HackerOne).

Education

IC - Typically requires a minimum of 8 years of related experience.Mgr & Exec - Typically requires a minimum of 6 years of related experience.
Compensation:
The target salary range for this position is 147,900 - 220,000 USD. The salary offered will be determined by the candidate's location, qualifications, experience, and education and may be outside of this range. The range is based on 'On Target Earnings' (OTE) representing the total potential earnings, which is the sum of the base salary and potential commission earned when performance targets are achieved. Final compensation packages are competitive and in line with industry standards, reflecting a variety of factors, and include a comprehensive benefits package. This may cover Health Insurance, Life Insurance, Retirement or Pension Plans, Paid Time Off, various Leave options, employee stock purchase plan, and/or restricted stocks (RSU's). These offerings are subject to regional variations and governed by local laws, regulations, and company policies. We will provide detailed information about the specific benefits for your region during the recruitment process.