Vulnerability Remediation Engineers - Windows/ Linux

1- Windows Vulnerability Remediation Engineer

Apply here: https://solidgroup.sa/en/jobs/windows-vulnerability-remediation-engineer-35

Summary: You’ll own the security hardening lifecycle for every Windows workload in our data centres and Azure tenant—domain controllers, IIS and Apache reverse proxies, clustered SQL farms, VMware vSphere nodes, print servers, and legacy line-of-business hosts. Working hand-in-hand with the SOC, infrastructure, and application teams, you will translate scanner output into concrete remediation plans, automate patch roll-outs, and verify that every critical CVE is closed within SLA. 

Responsibilities

• Prioritise, schedule, and deploy OS & application patches across 5 000+ Windows Server 2016/2019/2022 machines using WSUS, SCCM/MECM, and Azure Update Manager.
• Interpret Tenable/Qualys/Nessus findings, map them to CVSS scores, asset criticality, and compensating controls, then feed risk data back to Governance & Risk.
• Maintain CIS-aligned GPOs covering password policy, NTLM hardening, SMB signing, TLS/SSL ciphers, and local privilege management; run quarterly drift checks with LGPO or Microsoft DSC.
• Write PowerShell/Desired State Configuration scripts to patch, reboot, and validate servers; generate weekly dashboards showing remediation velocity, SLA compliance, and zero-day exposure.
• Lead CAB submissions, craft back-out plans, and secure downtime windows with application owners; perform smoke tests post-patch and sign off.
• Serve as SME during security incidents involving Windows exploits (e.g., PrintNightmare, Zerologon), supplying rapid mitigation steps and forensic data.
• Evaluate new Microsoft servicing models (WUfB, Azure ARC), third-party patching tools, and vulnerability prioritisation engines to shorten mean time-to-remediate (MTTR).

Must Have

• Deep hands-on Windows Server administration (AD, DNS, PKI, Failover Clustering) plus proven WSUS or SCCM/MECM patch-management experience.
• Practical remediation of high-severity CVEs (e.g., credential-theft, RCE, privilege-escalation).
• PowerShell scripting proficiency for automation, inventory, and compliance checks.
• Familiarity with at least one enterprise vulnerability scanner (Tenable, Qualys, Nessus).
• Strong documentation, change-control, and stakeholder-communication skills in English.

Nice to have

• Exposure to hybrid AD / Azure AD, ADFS, and certificate-authority hardening.
• Experience with EDR tools (Defender for Endpoint, CrowdStrike) and exploit-guard rules.
• Microsoft or GIAC certs such as SC-200, AZ-500, GSEC, GCWN.
• Knowledge of compliance frameworks (ISO 27001, NIST 800-53) and audit evidence gathering.
• Python or Ansible skills for cross-platform automation.

What's great in the job? Enjoy full ownership of the Windows security roadmap, a dedicated budget for global conferences and advanced training, and day-to-day collaboration with elite blue-team and cloud-architecture engineers. Your measurable impact—closing thousands of CVEs and slashing MTTR—translates directly into performance bonuses, fast-track promotions, and executive visibility.

2- Linux Vulnerability Remediation Engineer

Apply here: https://solidgroup.sa/en/jobs/linux-vulnerability-remediation-engineer-36

Summary: From SAP HANA clusters on SUSE to container hosts on RHEL and monitoring probes on CentOS Stream, our Linux estate underpins mission-critical banking, analytics, and security services. You will spearhead the effort to eradicate exploits, enforce CIS controls, and automate kernel, package, and agent patching—ensuring every server meets stringent uptime and compliance targets. 

Customer Relationship

Personal Evolution

Autonomy

Administrative Work

Technical Expertise

Responsibilities

• Comprehensive Patch Orchestration: Use zypper, yum/dnf, apt, or Landscape/Satellite to stage, test, and deploy kernel and package updates across 2 000+ Linux nodes, including HA pairs and production SAP stacks.
• Threat Mitigation: Address SSH hardening (strong ciphers/Kex, two-factor auth), privilege-escalation paths (sudo, setuid, polkit), TLS/SSL weaknesses, RCE flaws, and DoS vectors; implement mitigations such as SELinux, AppArmor, and systemd sandboxing.
• Baseline & Compliance: Apply and periodically audit CIS/DISA STIG baselines via Ansible, Chef, or OpenSCAP; remediate deviations and document evidence for auditors.
• Tooling & Automation: Develop Bash/Python playbooks for package inventory, kernel-live-patching (kpatch/ksplice), and post-update functional checks; integrate with Jenkins/GitLab CI pipelines for continuous compliance.
• Container & Cloud Security: Scan Docker/Podman images (Trivy, Clair), remediate vulnerable layers, and harden Kubernetes/OpenShift nodes; collaborate with DevOps on image-signing and runtime policies.
• Collaboration & Scheduling: Liaise with SAP Basis, database, and infra teams to coordinate maintenance windows, mitigate performance impact, and optimise reboot sequencing.
• Metrics & Reporting: Produce monthly scorecards on CVE closure rates, patch compliance, and kernel-panic incidents; drive root-cause analysis for any post-patch instability.
• Research & Innovation: Pilot OS-trend technologies (e.g., eBPF for runtime security, immutable-OS models like Fedora CoreOS) and recommend adoption paths.

Must Have

• Expert command of SUSE, RHEL, and/or Debian/Ubuntu hardening and patch lifecycles.
• Fluency with vulnerability-assessment platforms (OpenVAS, Qualys, Nessus) and CVE/CVSS analysis.
• Strong scripting skills (Bash plus Python or Go) and experience automating via Ansible or similar.
• Knowledge of kernel parameters, system-call filtering, and secure-boot concepts.
• Ability to read security advisories, evaluate exploit PoCs, and translate them into actionable fixes.

Nice to have

• RHCE, SLES Certified Engineer, or LFCS/LFCE credentials.
• Familiarity with container-security tools (Falco, SELinux in enforcing mode, seccomp profiles).
• Experience with cloud-native hosts (AWS Linux 2, Azure Linux) and infrastructure-as-code pipelines (Terraform, Pulumi).
• Exposure to SIEM integrations (Elastic, Splunk) for log forwarding and rule tuning.
• Understanding of PCI-DSS or SWIFT CSP requirements in financial environments.

What's great in the job? You’ll be the guardian of our open-source core, empowered to innovate with cutting-edge tooling and open-source contributions. Performance bonuses tie directly to quantified risk reduction, while flexible hours, remote-friendly culture, and a clear technical-lead track let you grow without sacrificing balance.