Role SummaryThe Security Engineer - Exposure Management is responsible for building and maturing the attack surface management capability with a focus on answering where the organization is most exposed and what the actual risk is. This role owns external visibility, correlates external exposure to internal systems and accountable owners, and provides clear, actionable risk insight to stakeholders. The role operates in an advisory capacity and drives informed remediation through visibility, analysis, and communication, not direct system changes.
Primary Objectives - Establish and maintain authoritative visibility of externally exposed assets across domains, IP space, applications, and services.
- Correlate external exposure to internal systems and accountable owners, including complex non-1:1 relationships.
- Answer where risk exists and what exposure means in practical terms to the business.
- Build workflows to manage external findings with minimal manual effort using integration and automation.
- Improve coverage, mapping accuracy, and data quality to reduce unknown external exposure.
Responsibilities - Build and operate the attack surface management capability, including processes, integrations, and workflows.
- Maintain visibility into externally exposed assets including domains, IPs, web applications, APIs, certificates, load balancers, and DMZ services.
- Correlate external findings to internal systems and ownership across complex, indirect relationships.
- Coordinate with threat intelligence, network, firewall, DNS, and load balancing teams to validate exposure and ownership.
- Develop and maintain integrations to support discovery, enrichment, and correlation of external assets.
- Drive routing accuracy by ensuring findings map to the correct owners and identifying ownership gaps.
- Identify and resolve data quality issues impacting visibility, coverage, and correlation.
- Integrate findings into ServiceNow workflows where applicable to support routing and tracking.
- Reduce manual effort by standardizing and automating repeatable processes.
- Analyze exposure and vulnerability data in context to determine actual risk beyond tool-based severity.
- Communicate complex technical risk clearly to non-technical stakeholders with actionable recommendations.
- Document processes, playbooks, and operational standards to sustain the capability.
Required Qualifications - Minimum 5 years of experience in information security.
- Minimum 3 years of hands-on experience in enterprise vulnerability management, exposure management, or network security.
- Strong understanding of networking fundamentals including firewalls, ACLs, routing, load balancing, and externally exposed architectures.
- Strong understanding of DNS, web infrastructure, certificates, and DMZ environments.
- Understanding of infrastructure vulnerability assessment and discovery scanning concepts.
- Basic understanding of cloud-hosted and externally exposed services.
- Basic understanding of web applications and externally facing service risk.
- Strong experience correlating external data to internal systems and ownership across inconsistent datasets.
- Strong analytical and complex technical problem-solving skills.
- Ability to assess and communicate risk beyond tool-generated severity using context.
- Experience working with CMDB or similar systems for asset and ownership tracking.
- Ability to operate independently in a greenfield program environment.
Preferred Qualifications - Experience integrating external exposure data into ServiceNow workflows for routing and tracking.
- Experience improving data quality, deduplication, and correlation across multiple data sources.
- Experience working with externally exposed enterprise environments and perimeter infrastructure.
- Experience automating data collection, normalization, or correlation using scripting or APIs.
Certifications - Higher-level security or risk-related certifications preferred.
Work Location Hybrid role requiring three days per week in the office. Must be located within Xcel Energy territory and reasonably close to an Xcel Energy facility. Denver, Colorado and Minnesota areas preferred.
Non-Bargaining
The anticipated starting base pay for this position is: $97,600.00 to $138,600.00 per year
This position is eligible for the following benefits: Annual Incentive Program, Medical/Pharmacy Plan, Dental, Vision, Life Insurance, Dependent Care Reimbursement Account, Health Care Reimbursement Account, Health Savings Account (HSA) (if enrolled in eligible health plan), Limited-Purpose FSA (if enrolled in eligible health plan and HSA), Transportation Reimbursement Account, Short-term disability (STD), Long-term disability (LTD), Employee Assistance Program (EAP), Fitness Center Reimbursement (if enrolled in eligible health plan), Tuition reimbursement, Transit programs, Employee recognition program, Pension, 401(k) plan, Paid time off (PTO), Holidays, Volunteer Paid Time Off (VPTO), Parental Leave
Benefit plans are subject to change and Xcel Energy has the right to end, suspend, or amend any of its plans, at any time, in whole or in part.
In any materials you submit, you may redact or remove age-identifying information including but not limited to dates of school attendance and graduation. You will not be penalized for redacting or removing this information.
Deadline to Apply: 06/21/26
All Xcel Energy employees and contractors share responsibility for protecting the company's information and systems by adhering to cybersecurity policies, standards, and best practices, recognizing that cybersecurity is everyone's responsibility.
