Why UKG:
At UKG, the work you do matters. The code you ship, the decisions you make, and the care you show a customer all add up to real impact. Today, tens of millions of workers start and end their days with our workforce operating platform. Helping people get paid, grow in their careers, and shape the future of their industries. That's what we do.
We never stop learning. We never stop challenging the norm. We push for better, and we celebrate the wins along the way. Here, you'll get flexibility that's real, benefits you can count on, and a team that succeeds together. Because at UKG, your work matters-and so do you.
About the Team
The Security Research & Innovation (SRI) team within Global Security is a high-impact, automation-first security organization responsible for vulnerability management, security research, and red team operations. This team has an exceptional automation culture - all team members build production automation that eliminates manual work at scale.
Our security researchers conduct deep-dive source code audits, discover novel vulnerabilities in UKG products, build AI-powered tools that find and help fix bugs at scale, and drive measurable risk reduction across the entire product portfolio. This team has produced findings that protected thousands of customer environments and built automation platforms that multiply the team's impact far beyond headcount.
*This position may perform work with the U.S. government therefore: *
UKG is unable to offer sponsorship for this position.
Ideal candidate should be a U.S. Citizen
Role Summary
We are seeking a Sr. Staff Security Researcher who finds and fixes security vulnerabilities - and builds AI-powered automation to do it at scale. This is a hands-on technical role. You will audit source code, discover novel vulnerabilities in UKG's products and infrastructure, develop working proof-of-concept exploits, drive remediation with engineering teams, and build AI-assisted tools that accelerate every phase of that lifecycle.
The ideal candidate is someone who has found real bugs in real products, written real exploits, and built real tools - not someone who writes policies about how other people should do those things. You will be expected to produce tangible security outcomes: vulnerabilities found, vulnerabilities fixed, and automation that makes the next round faster.
Key Responsibilities
Vulnerability Discovery & Security Research (35%)
Conduct deep-dive source code audits of UKG products (Java, .NET, Python, JavaScript) to discover novel vulnerabilities - examples could be hardcoded secrets, authentication bypasses, injection flaws, cryptographic weaknesses, access control gaps, unsafe deserialization, etc.
Develop working proof-of-concept exploits that demonstrate real impact - not theoretical risk, but provable exploitation with clear data exposure or access escalation
Perform variant analysis: when you find a bug, systematically search the entire codebase for every instance of the same root cause pattern
Triage and validate findings from automated scanners (SAST, DAST, SCA) - separate real vulnerabilities from false positives using source-level analysis
Investigate and reproduce externally reported vulnerabilities (bug bounty, CVEs, vendor advisories) to assess actual exploitability in UKG's environment
Collaborate with engineering teams on remediation - not just filing tickets, but working with developers to design, validate fixes, and drive to remediation.
AI-Powered Vulnerability Automation (40%)
Build AI-assisted vulnerability discovery tools using automation (Claude, MCP servers, custom models, etc) for automated source code analysis, vulnerability pattern matching, and exploit generation
Develop autonomous security scanning agents that can analyze codebases, identify vulnerability patterns, and produce validated findings with minimal human intervention
Create AI-powered remediation tools - automation that generates fix recommendations, patches, and pull requests for discovered vulnerabilities, accelerating the path from finding to fix
Build automated vulnerability lifecycle pipelines: intake from scanners, AI-assisted triage and deduplication, intelligent ticket routing, SLA tracking, and remediation verification
Contribute to the team's shared automation repositories and Claude Code skills store - every tool you build should be reusable by the rest of the team
Vulnerability Management & Remediation Driving (20%)
Own vulnerability remediation outcomes for assigned product areas - track findings from discovery through verified fix, holding engineering teams accountable to SLAs
Produce clear, actionable vulnerability reports that engineering teams can act on immediately - root cause, impact, reproduction steps, and recommended fix
Drive mean time to remediate (MTTR) down through better automation, better reports, and direct collaboration with development teams
Support vulnerability management program metrics and dashboards - contribute to reporting that gives leadership real-time visibility into risk posture
Support compliance-driven vulnerability management requirements, including FedRAMP continuous monitoring and POA&M processes, as UKG expands into federal markets
Research & Knowledge Sharing (5%)
Publish internal/external research on novel vulnerability classes, AI-assisted discovery techniques, and lessons learned from audits
Stay current on emerging vulnerability classes, exploitation techniques, and defensive patterns relevant to UKG's technology stack
Mentor other team members on vulnerability research methodology, source code analysis, and AI-augmented security tooling
Required Qualifications
7+ years of hands-on experience in vulnerability research, application security, or penetration testing - with a track record of finding real vulnerabilities in production software
Demonstrated ability to read and audit source code in at least two of: Java, C#/.NET, Python, JavaScript/TypeScript, Go, C/C++ Experience developing working proof-of-concept exploits - not just scanning, but understanding root causes and proving exploitability
Strong proficiency in Python for building security tools, automation pipelines, and integrations
Experience with AI/ML tools for security - using LLMs for code analysis, building AI-assisted security tooling, or developing autonomous security agents
Deep understanding of common vulnerability classes: injection (SQL, command, LDAP), broken authentication, cryptographic failures, SSRF, deserialization, path traversal, access control, and their variants
Experience with vulnerability management programs - triaging, tracking, and driving remediation of vulnerabilities across engineering organizations
Ability to work directly with development teams - explaining vulnerabilities, reviewing proposed fixes, and validating remediations
Excellent written communication - ability to produce clear vulnerability reports, technical documentation, and executive summaries
Bachelor's degree in Computer Science, Cybersecurity, or equivalent experience
Preferred Qualifications
Published CVEs, security advisories, or bug bounty findings in production software
Experience in SaaS/multi-tenant environments processing sensitive data (HCM, payroll, healthcare, financial)
Familiarity with SAST/DAST/SCA tooling and how to reduce false positive rates through source-level validation
Experience with cloud security assessment (AWS, GCP, Azure) including container and Kubernetes vulnerability analysis
Familiarity with FedRAMP, NIST SP 800-53, or federal compliance frameworks - enough to understand vulnerability remediation timelines and reporting requirements in regulated environments
Security certifications that demonstrate hands-on skill: OSCP, OSWE, GWAPT, GXPN, BSCP, or equivalent
Conference presentations, published research, or open-source security too
