Senior Manager - Product Red Team

ServiceNow seeks an experienced offensive security leader to build and lead the Product Red Team. This newly established function emulates real-world attacks against synthetic ServiceNow customer instances to identify vulnerabilities, misconfigurations, and design gaps before external threat actors or researchers discover them.

This role requires an operator who has led offensive security operations in high-consequence environments—covert intelligence or military settings preferred—with proven ability to establish operational standards, navigate ambiguous mission parameters, and influence cross-functional stakeholders around complex security trade-offs.

You will build upon this team's charter, engagement frameworks, and rules of engagement with other teams. You will help drive ServiceNow's product security and response posture through adversary emulation, vulnerability research, exploit development, and collaboration with other offensive and defensive teams.

Key Responsibilities

Establish Operations Objectives, Policies & Procedures

Own Product Red Team's operation objectives and engagement selection criteria in alignment with product security roadmap and risk register, CISO directives, and company priorities.
Expand upon rules of engagement, threat actor emulation standards, testing policies, and protocols.
Establish operational security procedures for covert operations, detection evasion, and incident response protocols.
Create escalation procedures and approval frameworks for high-risk engagements.
Own campaign selection processes, engagement proposal templates, and findings documentation and readout standards.

Define Engagement Framework & Success Metrics

Design and implement engagement types: vulnerability risk assessment, product security assessments, and ongoing adversarial campaigns.
Establish and report on technical and operational success metrics: kill chain coverage, remediation velocity, and detection engineering insights.
Create reporting templates—technical findings, executive briefings, engineering recommendations—that drive actionable remediation.
Define boundaries and operational testing windows in coordination with product engineering and detection engineering teams.

Lead Offensive Operations Team

Build team capability across threat actor emulation, exploit development, persistence mechanisms, supply chain security, and AI-specific attack vectors (prompt injection, model manipulation, data poisoning).
Mentor team on operational security tradecraft, documentation discipline, and risk management under ambiguous conditions.
Support team members in their time zones, spanning from US West Coast to India.

Conduct Complex Offensive Operations

Design and execute operations simulating realistic attack paths against synthetic customer instances—from initial access through persistence, lateral movement, and data staging.
Demonstrate real-world exploitability of vulnerability chains, design flaws, and configuration gaps.
Validate security controls, detection capabilities, and logging sufficiency across kill chain phases.
Identify and exploit legitimate ServiceNow features for malicious purposes ("living off the land" testing) to reveal detection gaps.
Build and operate proof-of-concept exploits and command & control channels that inform both remediation and detection priorities.

Navigate Cross-Functional Complexity

Persuade product engineering leadership through threat demonstration, remediation prioritisation, and security feature recommendations based on evidence-based risk assessment.
Coordinate with Detection Engineering and Purple Team on testing windows, alert tuning, and detection blind spots identified through campaigns.
Collaborate with Product Security leadership on engagement approval, customer data handling exceptions, and privacy/compliance trade-offs.
Advise CISO and VP leadership on emerging attack vectors—particularly AI-driven threats—and systemic product security gaps.
Manage stakeholder expectations around operational secrecy, testing windows, and capability limitations.

Drive Product Security Outcomes

Show the business impact of chained vulnerabilities through realistic exploitation scenarios and customer-relevant context.
Influence product design decisions through security architecture recommendations and validated control requirements.
Identify new vulnerabilities ahead of external researchers and bug bounty programs.
Build organisational confidence in product security posture through tested detection maturity and observed remediation effectiveness.

12+ years of offensive security experience, with minimum 5+ years leading offensive operations teams in mission-critical environments.
Background in leading covert offensive cyber operations in:
Intelligence communities, or
Contracted equivalent, or
Top-tier private-sector adversary emulation firms or internal teams.

Expertise in:

Threat actor emulation and MITRE ATT&CK methodologies as translated and applied to product security.
Exploit development and proof-of-concept creation.
Persistence mechanisms, detection evasion, and command & control operations in SaaS environments.
Kill chain analysis and attack path development.
Security control validation and testing under strict rules of engagement.

Proven ability to:

Operate under ambiguous mission parameters and establish doctrine.
Establish and enforce operational security discipline in high-stakes environments.
Navigate regulatory and legal constraints while maintaining operational effectiveness.
Mentor elite operators and maintain team excellence under pressure.
Brief executives on complex security risks and influence decision-making.
Product security awareness: Familiarity with SDLC integration, CI/CD pipelines, SaaS threat models, and multi-tenant architecture considerations.

Preferred Qualifications

Experience leading red teams against software products or SaaS platforms.
Background in emerging threats: AI-specific attack vectors (prompt injection, model poisoning, adversarial inputs), software supply chain security, SDLC tooling security.
Published security research or speaking engagements at tier-1 security conferences.
Experience with cloud infrastructure testing (AWS, Azure, GCP) and containerised environments.
Familiarity with enterprise customer deployment patterns and security control expectations.

Work Personas

We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here. To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service.

Equal Opportunity Employer

ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, national origin, age, disability, gender identity, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.

Accommodations

We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact globaltalentss@servicenow.com for assistance.

Export Control Regulations

For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities.