Sr. Staff Security Researcher

Why UKG:

At UKG, every role counts. The code you develop, the decisions you make, and the client care you provide create real impact. Millions of workers engage with our workforce operating platform daily, helping them manage their careers and drive industry advancements. This is our mission.

We embrace continuous learning and strive for improvement, celebrating achievements along the way. You'll enjoy genuine flexibility, reliable benefits, and a collaborative team environment. At UKG, your contributions are valued—because you matter.

About the Team

The Security Research & Innovation (SRI) team within Global Security is an essential, automation-driven security unit dedicated to vulnerability management, security research, and red team activities. Our team champions automation, where all members contribute to building solutions that streamline processes at scale.

Our security experts perform comprehensive source code audits, uncover unique vulnerabilities in UKG products, develop AI-enhanced tools for identifying and resolving issues efficiently, and measure risk reduction across our product line. Our findings have fortified the security of countless customer environments, and our automation initiatives amplify our contributions beyond our team size.

Role Summary

We are looking for a Sr. Staff Security Researcher who specializes in identifying and addressing security vulnerabilities while creating AI-driven automation to streamline this process. This is a hands-on technical position requiring you to audit source code, identify important vulnerabilities within UKG's products and infrastructure, develop proof-of-concept exploits, collaborate with engineering teams to implement fixes, and develop AI-assisted tools to enhance each phase of vulnerability management.

The ideal candidate will have a proven history of discovering actual bugs in working products, crafting legitimate exploits, and designing effective tools; we seek a practitioner rather than a policy writer. You will be responsible for demonstrating measurable security outcomes: identifying and addressing vulnerabilities and enhancing automation for more efficient future rounds.

Key Responsibilities

Vulnerability Discovery & Security Research (35%):

• Conduct thorough audits of UKG's products (Java, .NET, Python, JavaScript) to identify unique vulnerabilities such as hardcoded secrets, authentication flaws, injection weaknesses, cryptographic failures, and more.
• Develop realistic proof-of-concept exploits that illustrate genuine impacts, focusing on clear data exposure or access escalation rather than theoretical risks.
• Perform variant analysis to locate all instances of the same root cause within the codebase for every vulnerability found.
• Validate findings from automated scanning tools (SAST, DAST, SCA) by using source-level analysis to filter real vulnerabilities from false positives.
• Investigate externally reported vulnerabilities (bug bounty, CVEs, vendor advisories) to determine actual exploitability in UKG's system.
• Collaborate closely with engineering teams on remediation efforts, assisting developers in devising and validating fixes.

AI-Powered Vulnerability Automation (40%):

• Create AI-enriched tools for automated vulnerability discovery, leveraging automation capabilities (Claude, MCP servers, special models) for source code analysis, vulnerability pattern recognition, and exploit creation.
• Develop autonomous security scanning agents capable of analyzing codebases, detecting vulnerability patterns, and producing validated findings with reduced human intervention.
• Design AI-driven remediation tools that automatically generate fix recommendations, patches, and pull requests for identified vulnerabilities, fast-tracking the process from discovery to resolution.
• Construct automated pipelines for vulnerability lifecycle management encompassing scanner intake, AI-assisted triage, smart ticket routing, SLA tracking, and verification of remediations.
• Contribute to the team's collective automation repositories—each tool you create should be reusable within the team.

Vulnerability Management & Remediation Driving (20%):

• Oversee remediation outcomes for assigned product areas, tracking vulnerabilities from discovery through to verified fixes while ensuring engineering teams meet SLAs.
• Create concise, actionable vulnerability reports that provide engineering teams with immediate guidance on root causes, impacts, reproduction steps, and suggested fixes.
• Reduce mean time to remediate (MTTR) through enhanced automation, clear reporting, and teamwork with development teams.
• Support metrics for vulnerability management programs and dashboards, contributing to real-time reporting that informs leadership about risk posture.
• Assist with compliance-driven vulnerability management requirements, including FedRAMP continuous monitoring as UKG enters federal markets.

Research & Knowledge Sharing (5%):

• Publish internal and external research on new vulnerability types, AI-driven discovery methods, and lessons learned from audits.
• Stay informed about emerging vulnerability classes, exploitation techniques, and defensive measures relevant to UKG's technology stack.
• Mentor team members on vulnerability research methodologies, source code analysis, and AI-augmented security tools.

Required Qualifications

• Over 7 years of practical experience in vulnerability research, application security, or penetration testing with a proven record of discovering vulnerabilities in production software.
• Ability to read and audit source code in at least two of the following: Java, C#/.NET, Python, JavaScript/TypeScript, Go, C/C++ with experience in developing proof-of-concept exploits.
• Strong Python skills for creating security tools, automation pipelines, and integrations.
• Experience with AI/ML tools in security contexts, including working with large language models for code analysis.
• Deep understanding of common vulnerability types such as injections, broken authentication, cryptographic weaknesses, SSRF, deserialization, path traversal, and access control issues.
• Familiarity with vulnerability management, including tracking and facilitating the resolution of vulnerabilities within engineering settings.
• Excellent communication skills for producing clear vulnerability reports, technical documentation, and executive summaries.
• Bachelor's degree in Computer Science, Cybersecurity, or a related field.

Preferred Qualifications

• Experience with published CVEs, security advisories, or known bug bounty findings in live software.
• Background in SaaS/multi-tenant environments managing sensitive data (HCM, payroll, healthcare).
• Familiarity with SAST/DAST/SCA tools and reducing false positives through source-level validation.
• Experience in cloud security assessments (AWS, GCP, Azure) and container and Kubernetes vulnerability analysis.
• Knowledge of FedRAMP, NIST SP 800-53, or other federal compliance frameworks relevant to vulnerability remediation timelines and requirements.
• Security certifications emphasizing hands-on skills such as OSCP, OSWE, GWAPT, GXPN.
• Contributions to open-source security projects, published research, or conference presentations.
• Experience in reverse engineering and binary analysis.

What Sets This Role Apart

This is an opportunity for someone who identifies vulnerabilities, implements fixes, and develops tools to find more vulnerabilities. You will:

• Join a team where each member contributes to production automation—this is an engineering-led security environment, not merely compliance-focused.
• Leverage cutting-edge enterprise AI resources (Claude Code, LiteLLM, MCP servers) to forge next-generation tools for vulnerability identification and resolution.
• Audit significant components of one of the largest HCM/payroll platforms globally, safeguarding the sensitive data of numerous customers.
• Have a direct and measurable impact, with your discoveries enhancing security across UKG's entire client base.
• Pioneer the application of AI in vulnerability identification and automated remediation, reshaping how security research is approached at scale.
• Advance your career in a setting that champions builders and achievers over process-driven roles.

Compensation & Benefits

UKG offers an extensive rewards package, including a competitive base salary, annual bonuses, stock options, full medical/dental/vision benefits, 401(k) matching, unlimited PTO, and resources for professional development. This position supports remote work from anywhere in the US.

Company Overview:

UKG is the Workforce Operating Platform that leverages workforce insights and AI to uncover new opportunities for building trust, enhancing productivity, and empowering talent. We equip our customers with the intelligence to tackle challenges across various industries because we understand that great organizations recognize their workforce as their competitive advantage.

Equal Opportunity Employer:

UKG values diversity and is an equal opportunity employer. We assess all qualified candidates without regard to race, color, disability, religion, sex, age, national origin, veteran status, or any other legally protected status.

UKG participates in E-Verify. View E-Verify posters for additional information.

It is against Massachusetts law to require or perform a lie detector test in connection with employment. Any employer violating this law is subject to criminal penalties and civil liability.

Disability Accommodation:

Individuals with disabilities requiring assistance during the application or interview process may contact UKG directly.

The pay range for this position is $163,900 to $235,550. Actual pay may vary based on skills, experience, and job-related knowledge. Employees may also be eligible for performance bonuses and restricted stock unit awards as part of their total compensation.