Job Description

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!
Senior Product Manager, Attack Surface Management
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a cloud security and compliance company with 10,000+ subscription customers worldwide, including many Forbes Global 100 and Fortune 100 organizations. Qualys helps teams consolidate security and compliance workflows on one platform to improve outcomes, increase agility, and reduce cost.
Role overview
This role owns Attack Surface Management as a core pillar of the Qualys TruRisk Platform, built on top of the Unified Inventory layer that powers ETM.
You will drive how Qualys discovers, attributes, correlates, and governs the external attack surface (EASM) & Internal Attack Surface and connects it to the broader enterprise inventory used by ETM across different asset types such as hosts, containers, cloud resources, SaaS services, and identities.
The goal is a single trusted inventory that enables ETM outcomes end-to-end:

• build a complete and continuously updated perimeter (internal & external)
• link exposures to vulnerabilities, misconfigurations, compliance and identity risk
• provide business context for prioritization, reporting, and TruRisk outcomes
• uncover and operationalize Shadow IT and unmanaged internet-facing assets

This is a platform-minded PM role combining CAASM-style inventory and EASM-style external discovery: multi-source ingestion, attribution and identity resolution, deduplication and reconciliation, governance workflows, and risk-ready insights.
What you will own
You will lead one or more areas depending on strengths and roadmap priorities.
Unified Inventory for ETM (core platform)

• Multi-source ingestion: APIs, webhooks, bulk imports, partner integrations (ServiceNow, Jira, CMDB, CSPM, IdP)
• Identity resolution and reconciliation: correlation, dedupe, entity resolution across sources
• Normalization and tokenization: standard attributes, tags, metadata enrichment, schema strategy across asset types
• Staging and governance workflows: validation, conflict handling, approvals, audit and change history, lifecycle state
• Inventory health and coverage: completeness, freshness, confidence scoring, ownership mapping, Shadow IT discovery

Attack Surface Management (EASM) built on Unified Inventory

• External discovery: domains, subdomains, DNS, certificates, IPs, cloud services, internet-facing services
• Attribution and ownership mapping: link discovered assets to orgs, subsidiaries, brands, apps, teams, environments
• Continuous monitoring: change detection, new exposure alerts, drift tracking, asset lifecycle for external perimeter
• External enrichment: tech stack, ASN/provider, geo, certificate relationships, exposure context
• Third party and shared infrastructure handling: CDNs, shared hosting, vendors, ambiguous ownership workflows

Essential duties and responsibilities

• Convert customer and field use cases into product strategy, roadmap themes, epics, user stories, and acceptance criteria
• Partner with engineering and architecture on solution design (data model, pipelines, correlation and attribution logic, APIs) and drive delivery from concept through release
• Own backlog quality: prioritization, grooming, breaking epics into shippable increments, defining validation and Definition of Done criteria
• Drive execution cadence with engineering leadership: sprint readiness, dependencies, tradeoffs, and release planning
• Ensure features support real enterprise workflows across SecOps, IT Ops, cloud teams, and GRC, including how teams operationalize EASM findings into ETM outcomes
• Define personas and workflows; collaborate with UX on scalable experiences (wireframes, annotations, interaction specifications)
• Define and track success metrics: onboarding time, coverage percentage, attribution confidence, dedupe accuracy, reconciliation confidence, alert quality, adoption, and ETM impact
• Support POCs and strategic accounts: demos, discovery sessions, feedback loops, outcome-driven iteration
• Partner with Product Marketing, Sales, and SE teams for launch readiness, positioning, demo flows, and competitive enablement

Desired skills, experience, and qualifications

• 5+ years of product management experience in B2B SaaS, cybersecurity & equivalent techno-functional ownership experience (security engineering, solution architecture, platform engineering)
• Strong understanding of asset inventory and CAASM concepts: multi-source correlation, trusted inventory, normalization, reconciliation
• Strong understanding of Attack Surface Management and EASM: external discovery, attribution, continuous monitoring, Shadow IT and unmanaged asset identification
• Proven ability to write crisp requirements: user stories, edge cases, acceptance criteria, workflow definitions; comfortable operating in Agile and Scrum
• Platform mindset: data models and schemas, APIs, data quality, scalability and performance tradeoffs
• Strong communication skills: align executives and stakeholders; build enablement collateral including presentations, demos, and documentation
• Ability to operate effectively with globally distributed teams across time zones

Skills Required