MTS Manager

Finite State partners with product security teams, the guardians of our connected world, to create transparency for their connected devices and supply chains. Our platform handles connected devices and embedded systems across all industries, including those found in enterprises, healthcare, utilities, connected vehicles, manufacturing facilities, critical infrastructure, and government entities. 

We are a fast-growing series-B company with a fully distributed workforce. Led by a team of seasoned experts, we are a mission-driven team passionate about arming our customers with the actionable insights, critical vulnerability data, and remediation guidance necessary to mitigate product risk and protect the connected attack surface. We are committed to a remote first culture.

MANAGER, PRODUCT SECURITY TECHNICAL MANAGED SERVICES

SUMMARY

• Operational leader accountable for hands-on management, planning, and delivery of all Finite State Product Security Technical Managed Services binary firmware analysis, device penetration testing, threat and risk assessments (TARAs), SBOM/SCA generation, vulnerability response coordination, triage and remediation, and long-term engagement support for connected product OEMs and manufacturers (strategic accounts)
• Drives operational design, build-out, and scale of new and emerging managed services  PSIRT-as-a-Service (PSIRTaaS), EU Cyber Resilience Act (CRA) sustainable compliance, and adjacent offerings  with Finite State's AI Product Security Automation Platform as the delivery spine
• Direct people manager for the Technical Services team, accountable for hiring, onboarding, mentorship, performance management, capacity planning, skills development, and utilization optimization across a multi-disciplinary team of product security engineers and analysts
• Customer-facing managed services delivery leader accountable for engagement quality, technical accuracy, schedule adherence, customer satisfaction, renewal, and expansion across the active managed services portfolio
• Cross-functional partner to Product, Engineering, Sales, Marketing, Legal, and Regulatory Advisory Services Team, channeling field-level delivery experience into platform requirements, packaging and pricing, go-to-market enablement, and regulatory positioning

ESSENTIAL FUNCTIONS

Managed Service Delivery Operations

• Manages day-to-day execution of all active managed technical services customer engagements; ensures delivery quality, technical accuracy, schedule adherence, and consistent application of Finite State methodology across binary analysis, penetration testing, TARA, SBOM/SCA, vulnerability management, and remediation advisory
• Owns the full engagement lifecycle: scoping, statement of work, kickoff, execution, deliverable review, customer communications, and renewal/expansion planning
• Establishes, maintains, and continuously improves service delivery playbooks, technical methodologies, deliverable templates, peer review gates, and quality acceptance criteria
• Drives consistent integration of Finite State automation platform into every engagement; ensures platform capabilities are leveraged to maximum effect and that field experience feeds the platform roadmap
• Defines, monitors, and reports Service Level Agreements (SLAs), Service Level Objectives (SLOs), and engagement-level KPIs including billable utilization, time-to-deliverable, defect/escape rates, customer satisfaction (CSAT/NPS), and renewal rate
• Acts as senior technical escalation point for engagement issues, customer concerns, and complex or contested technical findings

New Service Build-Out and Operationalization

• Leads operational design and standup of new product security managed service offerings — PSIRTaaS, EU CRA sustainable compliance, and other emerging services — including process design, runbook authoring, tooling integration, staffing model, pricing inputs, contractual scaffolding, and SLA framework
• Partners with Product to ensure platform capabilities required for new managed services are scoped, prioritized, instrumented, and operationalized for service delivery 
• Designs and operates the customer-facing PSIRTaaS function: continuous vulnerability monitoring, automated and human-assisted triage, advisory issuance, CVE coordination with the appropriate CNA, customer disclosure workflow, remediation tracking, and post-disclosure verification
• Builds the operating model for sustainable EU CRA compliance services: conformity assessment support, Annex I essential requirements mapping, vulnerability handling obligations, technical documentation maintenance, and post-market surveillance support for connected product manufacturers

People Management and Team Development

• Hires, onboards, develops, mentors, and retains a team of product security engineers and analysts across multiple technical disciplines (binary/firmware analysis, offensive security, embedded systems, SBOM/SCA, regulatory engineering, vulnerability management)
• Sets individual performance objectives aligned to team and company OKRs; conducts regular 1:1s, delivers ongoing performance feedback, runs formal review cycles, and addresses performance issues directly and constructively
• Builds and maintains team capacity plans and skills inventories; identifies gaps and drives hiring, cross-training, certification, and external training plans to close them
• Manages utilization across the team to balance billable engagement work, capability development, and reserved capacity for new service launches and surge demand
• Cultivates a culture of technical excellence, intellectual honesty, customer empathy, peer review, and continuous learning; fosters psychological safety in a fully remote operating environment

Customer Engagement and Account Management

• Serves as senior delivery contact and trusted technical advisor for strategic customer accounts; owns the technical health of those relationships
• Leads recurring service reviews, escalation discussions, and quarterly business reviews; ensures customer outcomes are visible, measurable, and tied to renewal and expansion narratives
• Partners with Sales on scoping, statements of work, pricing alignment, and pre-sales technical engagement; provides expert input to deal qualification and risk
• Identifies and qualifies expansion opportunities (additional products, additional service lines, multi-year commitments) and works with Sales to convert them

Financial and Operational Performance

• Owns operational delivery against the Services ARR plan; accountable for margin discipline, utilization targets, and forecast accuracy
• Provides input to pricing, packaging, and capacity planning for current and new service offerings
• Tracks and reports delivery cost, gross margin per engagement, write-down and write-off rates, and other services-economics metrics; surfaces structural issues with concrete remediation proposals
• Produces timely, accurate forecasts of staffing, hiring, and external contractor needs against the demand pipeline

QUALIFICATIONS

EDUCATION AND/OR EXPERIENCE

• Bachelor's degree in Computer Science, Mathematics, Physical Sciences, Electrical/Computer Engineering, or equivalent demonstrable experience and certifications; advanced degree desirable
• Minimum 8 years of relevant experience in product security, embedded/connected device security, application security, or offensive security — a meaningful portion delivered in a customer-facing services, consulting, or managed services context
• Minimum 4 years of direct people management experience, including hiring, performance management, mentorship, and team development
• Demonstrated experience standing up new service offerings or productizing technical capabilities within a managed services or information technology environments is strongly preferred
• Hands-on technical depth in two or more of: binary/firmware analysis, penetration testing of embedded or IoT systems, threat modeling and TARA, SBOM and software composition analysis, vulnerability management and disclosure (CVE/CNA workflows), PSIRT/ESIRT operations

KNOWLEDGE, SKILLS, ABILITIES

Technical

• Deep working knowledge of connected and embedded device security, including firmware, microcontrollers, wireless SoCs, RTOS environments, and integrated IoT systems
• Hands-on familiarity with binary and firmware analysis tooling and methodology (Ghidra, IDA, Binary Ninja, radare2, and platform-driven equivalents)
• Strong understanding of SBOM standards (SPDX, CycloneDX), VEX, software composition analysis, and vulnerability correlation against CVE/CPE/PURL
• Strong understanding of vulnerability disclosure and PSIRT operating models, including ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling), CVSS v3.1/v4, and CNA operating procedures
• Familiarity with offensive security methodology applied to embedded systems, including hardware-adjacent attacks (fault injection, side-channel concepts, debug interface exploitation) at a depth sufficient to scope, review, and quality-control the work
• Working knowledge of TARA methodologies (ISO/SAE 21434 for automotive, IEC 62443-3-2 for industrial, MITRE ATT&CK and EMB3D where applicable)
• Working knowledge of applied cryptography, secure protocols, secure boot, secure update, and key management as applied to embedded systems
• Ability to ramp quickly on AI and agentic AI platforms and productivity systems; familiarity with the automated firmware/binary analysis platform category and AI-assisted vulnerability triage is preferred

Standards and Regulatory

• Working knowledge of EU Cyber Resilience Act (CRA), including Annex I essential requirements, vulnerability handling obligations, conformity assessment routes, and post-market surveillance expectations
• Working knowledge of IEC 62443, ETSI EN 303 645, NIST IR 8259 series, NIST SSDF (SP 800-218), and US Executive Order 14028 / OMB M-22-18 SBOM requirements
• Familiarity with ISO 27001, SOC 2 Type I/II, and adjacent compliance regimes as they apply to a managed services delivery organization

Managed Services Operations

• Demonstrated ability to design and operate service delivery functions to defined SLAs, SLOs, and quality standards
• Demonstrated ability to manage utilization, capacity, and engagement profitability in a billable services context
• Strong project and program management capability

Leadership and Communication

• Excellent written and verbal communication skills; operates fluently with executives, technical individual contributors, customer technical staff, customer executives, regulators, and partners
• Strong people leadership: hiring, coaching, performance management, conflict resolution, and team building in a fully remote environment
• Demonstrated ability to translate technical findings into business and regulatory consequences for non-technical stakeholders
• Customer-facing executive presence: owns escalations, leads difficult conversations, and represents Finite State at the most senior levels of customer organizations

Certifications

• One or more of the following is required: CISSP, CSSLP, CCSP, GIAC (GPEN/GXPN/GREM/GICSP), OSCP, or equivalent demonstrated technical depth
• One or more of the following is desirable: CISM, CRISC, CISA, ISO/IEC 27001 Lead Auditor or Lead Implementer, IEC 62443 Cybersecurity Expert, PMP/PgMP, ITIL Foundation or higher

Tools and Environments

• Familiarity with vulnerability analysis and reverse engineering tools
• Familiarity with SAST/DAST/IAST tooling categories
• Familiarity with offensive security tooling 
• Familiarity with collaboration and delivery tooling 
• Comfort operating in a fully remote, cloud-only company environment

Compensation

• Tier 1 (San Francisco, New York, Seattle): $200,000 - $215,000
• Tier 2 (All Other Locations): $190,000 - $207,000

About Finite State

At Finite State, we're on a mission to secure the connected world. Our platform empowers product security teams to detect vulnerabilities, manage software supply chain risks, and ensure compliance across complex device ecosystems. From IoT to critical infrastructure, we provide unparalleled visibility into firmware and software components, helping organizations protect their products and customers.

We move with urgency and intent — we’re transparent, own outcomes, put customers first, speak up, and learn fast — turning evidence into action. CLARITY is how we move fast without breaking trust.

• C - Customer first - Learn from customers. Ship with urgency.
• L - Leverage - Outsource the routine. Own the result.
• A - Agency - We take responsibility—end to end.
• R - Results - Ship value. Improve fast.
• I - Integrity - Speak up. Experiment boldly. Be kind.
• T - Transparency - Clear context. Faster decisions.
• Y - "Why" - Our mission—securing the connected products humanity depends on—is the reason Finite State exists. CLARITY is how we make that mission real, every day, at speed

Bold Innovation – We push boundaries, explore new ideas, and take initiative to solve complex problems.

The Finite State platform brings visibility and control to the supply chains that create connected devices and embedded systems—all in a simple to use platform and at the scale manufacturers need to keep device production on time and on budget. After unpacking and analyzing every file, configuration, and setting in a firmware build, the platform generates a complete bill of materials for software components, identifies known and 0-day vulnerabilities, shows a contextual risk score, and provides actionable insights that product teams can use to secure their software

We are proud to be an Equal Employer Opportunity employer. We do not discriminate based upon race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics. Finite State is committed to working with and providing reasonable accommodations to applicants with physical and mental disabilities.