Evidence-first
Decisions follow the data, not the hunch. We show the finding, the source scan and the deduplication logic before we recommend the next move.
Why this team
Vulnerability management is a workflow problem, not a scanner problem.
PMAP exists because most teams drown in scanner output long before they run out of things to fix. Our engineers have built the correlation engine that collapses duplicate findings across vendors, our product team has sat with analysts buried under thousands of open items, and our practitioners have shipped rules into the platform that move a finding from raw scan to owned ticket without a spreadsheet in between. That experience is the floor of how we build, not the ceiling of how we market.
The work shows up in the product. A correlation rule you write lands in the platform's pipeline within the release cycle, not in a backlog. A report template you draft for a customer engagement ends up in the library other teams reach for next quarter. The platform gets sharper because the people who understand the workflow are also the people designing it, so there is no translation layer between practice and roadmap.
We hire people who already care about this work, then give them the room to keep caring. That means honest on-call rotations with compensation that reflects the night you took, conference budgets that cover the talks you actually want to attend, and a parental leave policy treated as a norm rather than as a bullet to negotiate with recruiting. The job stays sustainable so the work stays good.
What we hire for
What we value
Move fast, think clearly
Speed matters when a team is racing a patch window, but only when it is paired with the discipline to get the prioritization right before the queue grows.
Earn trust daily
Customer trust and teammate trust are renewed every working day. We do what we said we would, write down what we cannot, and surface the bad news first.
Stay curious, stay humble
The vulnerability landscape teaches faster than we can ship. We treat every new scanner, framework and customer workflow as a learning surface and the next teammate as the one who will teach us something.
Diverse minds, unified mission
We hire across backgrounds, regions and entry points into security because diverse perspectives surface the assumptions a homogenous team never catches in time.
Defend in depth
Layered defense is a product principle and a culture principle. No single review, single approver or single dataset is allowed to be a single point of failure.
-
each new teammate is paired with a senior engineer for the first delivery cycles and onboarding milestones.
-
security, cloud and platform engineering certifications are reimbursed when they map to your role's growth path.
-
annual conference budget covers the trips, talks and workshops that move your craft forward, including travel and time off.
-
paid writing time on the schedule so research, product docs and blog posts ship without competing with delivery work.
Learn and grow
The field keeps moving. So does your learning budget.
Vulnerability management changes every quarter, bringing new scanners, new frameworks and new classes of finding. We treat continuous learning as part of the job description, not as an extracurricular activity, and we invest in the practitioners who carry the field forward as much as in the platform itself.
Career questions, answered
What is PMAP's remote work policy?
PMAP is remote-first by default. Most roles are open to candidates across time zones, with occasional hub days for team-wide work and customer summits. Some roles, typically those tied to specific customer or data-residency requirements, list a region or country in the posting itself, so the constraint is visible before you apply rather than surfacing in the offer letter.
What does the PMAP interview process look like?
The process is designed to take two to three working weeks, not two to three months. A recruiter screen opens the conversation, a hiring manager round scopes the role, and a working session with two future teammates replaces the traditional whiteboard test, so engineers walk through a real code or design problem, product folks scope a workflow, and security practitioners talk through how they would prioritize a noisy backlog. We share the rubric at the start of the process so the bar is visible to both sides.
Does PMAP sponsor work visas?
Sponsorship eligibility is set per role and per region. Postings that support sponsorship explicitly mark it in the requirements section, and the recruiting team is happy to walk through the timeline before you commit to the full process. We do not lead candidates through interviews without surfacing sponsorship constraints first, because that is part of how we earn trust daily.
Which certifications does PMAP value?
Certifications are signals, not gates. Engineering and security roles pay attention to recognized security, cloud and platform certifications, but what carries more weight is whether you can demonstrate the underlying skill when the working session begins. None of these are hard requirements, and we are just as interested in shipped work, open-source contributions and the way you reason about a problem.
Do I need a security background to join PMAP?
Not for every role. Engineering, product, design and go-to-market roles bring their own craft and learn the vulnerability management domain here, paired with someone who already knows it. Security-specific roles, like detection engineering or solutions engineering, do expect hands-on background, and the posting says so plainly. What we look for everywhere is curiosity about the problem and care for the people using the platform.
How does on-call rotation work at PMAP?
On-call rotations apply to platform engineering and customer-facing reliability roles, scheduled in fair shifts and capped per quarter so no single engineer absorbs an unsustainable share. Pages outside business hours carry a premium, comp time is added for any extended on-call stretch, and a secondary tier exists to take pressure off the primary on-call engineer when something is genuinely active. We treat the rotation as paid work, not as a tax on the role.
Build with us
Defenders wanted. Bring your edge.
Whether you are ready to apply for an open role today or want to stay in touch for the right opening, the recruiting team reads every message and replies in plain language.