Exelon
Sr Cyber Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Exelon
Exelon Corporation is a prominent American public utility company based in Chicago, Illinois. Established in 2000 through the merger of PECO Energy Company and Unicom Corporation, Exelon has become one of the largest utilities in the U.S. by revenue and customer base, serving around 10 million customers across several states. It ranks 187th on the Fortune 500 list and operates through six regulated utility subsidiaries, including Commonwealth Edison in Illinois and Baltimore Gas and Electric in Maryland. The company focuses on energy generation, delivery, and unregulated enterprises. Exelon operates the largest nuclear fleet in the U.S., contributing significantly to nuclear power generation. It also provides electricity and natural gas distribution services through its subsidiaries. Committed to sustainability, Exelon aims to reduce its carbon footprint and supports environmental initiatives. The company values bold leadership, creativity, accountability, and a strong commitment to safety and environmental stewardship in its operations.
Security at Exelon
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Exelon's AppSec mission and developer enablement approach are not publicly available. Their risk philosophy is based on a risk-based, intelligence-driven, 'defense-in-depth' approach for cybersecurity and physical security, considering them top enterprise risks. The Security Risk and Intelligence team manages security policy and risk to create a holistic security risk governance framework. A stated goal is to create metrics to understand how well business units implement security guidance, with these metrics eventually applying to application portfolios. There is a significant lack of recent public information directly addressing AppSec philosophy and developer enablement, but no contradictions were found.”
Security Team
Exelon's cybersecurity is managed at the enterprise level, aligning IT and operational technology controls with NIST's Cybersecurity Framework. In 2012, a Chief Security Officer position was established, leading the Corporate and Information Security Services (CISS) organization, which includes Information Security, Physical Security, Support Services, and Security Risk and Intelligence. Key public-facing leaders include Matt Rogers (Independent Director) and David Glockner (Executive Vice President, Compliance, Audit & Risk), though no key quotes are publicly available for them. The team size estimate is not publicly available. LinkedIn searches were conducted using queries like 'site:linkedin.com "Exelon""application security"' and 'site:linkedin.com "Exelon""cybersecurity"'. As of, there is 1 active AppSec job posting for a 'Cyber Sec Vul Mgmt Anlst'. Common skill patterns from this posting include performing vulnerability and security assessment engagements, developing governance documentation for security vulnerability processes, and knowledge/experience in application security standards, methodologies, technologies, and testing. There is limited public information on specific AppSec team structure or size, and the available job posting is for a vulnerability management analyst role with application security responsibilities, rather than an explicit 'Application Security Engineer' role.
Key Initiatives
There is no public evidence of a Security Champions Program or specific 'Shift Left' practices at Exelon. Their vulnerability management process involves continuous monitoring for malicious activity and routine vulnerability evaluations. They have a robust, centralized incident response program aligned with NIST's Cybersecurity Framework to manage and respond to cybersecurity and physical incidents. For Secure SDLC artifacts, Exelon queries its vendors on acceptable use standards, policies, and cybersecurity governance issues, with vendors answering approximately 109 questions across nine domains, including system development, application security, overall system security, and vulnerability management. Recent initiatives from the last 6 months are not publicly available. While there is evidence of a robust cybersecurity program and vendor security assessments that include application security, specific details on internal AppSec initiatives are limited.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.