Senior Security Incident Commander

About the Role

As a Senior Security Incident Commander, you will be leading both the strategic and deeply technical aspects of the incident response process for critical-severity and large-scale incidents. You'll blend the roles of Fire Captain, Air Traffic Controller, and NTSB Investigator - not only orchestrating the response with confidence under pressure, but also diving into technical investigations to ensure issues are understood and remediated at their root. You'll leverage your in-depth knowledge of security tools, systems, and threat actor methodologies to bolster Uber's security posture. In this role, you will also pioneer improvements to our incident response program, exploring cutting-edge technologies, novel detection and containment strategies, and advanced investigative techniques. As a leader in Engineering Security, you'll set the technical standard for incident handling and continually elevate the craft of incident response across the organization.

1. Join an on-call rotation to lead security incident response teams for high-criticality cybersecurity incidents across Uber and its subsidiaries.
2. Remain composed and technically effective under pressure, quickly pivoting between high-level strategic decisions and hands-on problem-solving.
3. Serve as the primary point of contact throughout the incident lifecycle, including direct interaction with executives and cross-functional teams.
4. Build strong partnerships with global teams to coordinate investigations, share technical insights, and respond effectively to incidents wherever they occur.
5. Mentor and guide junior analysts, coaching them in advanced investigative methodologies and helping them develop deeper technical skills.
6. Perform detailed root cause analysis, ensuring a rigorous technical understanding of incidents and creating actionable plans to prevent recurrence.
7. Lead or contribute to projects that mature the incident response program including IR tabletop exercises, real-time incident simulations, threat hunting, and compromise assessments- to drive continuous improvement in detection, response, and remediation capabilities.

1. 5+ years of experience in blue team functions (SOC, IR, detection) at a global company, with a proven ability to handle complex, large-scale incidents.
2. Deep familiarity with common threat actor attack patterns and TTPs, as well as an understanding of how to detect and disrupt them.
3. Demonstrated success in driving extremely complex and ambiguous security incidents to closure, including technical investigation and remediation.
4. Experience presenting incident strategy to executives, translating technical findings into clear, actionable business insights.
5. Hands-on technical aptitude, including proficiency in reading logs, comfortable command-line usage, and the ability to dive deep into system, network, or application data to pinpoint root causes.
6. Experience planning and running incident simulations such as tabletop exercises, purple teaming, etc., with an emphasis on highly technical scenarios.

1. Willingness and experience leading and mentoring others, both technically and procedurally.
2. A strong sense of urgency and drive - always looking to improve detection, response, and remediation strategies..
3. Prior experience in incident response at a large tech company, where scale and complexity were significant factors.
4. Broad cybersecurity domain knowledge - including infrastructure security, endpoint security, product security, and data security - to contextualize incidents within the broader security ecosystem.
5. Hands-on scripting and/or coding skills (Python, Go, or similar) to build custom tooling, automate workflows, and/or enhance response capabilities.
6. Experience utilizing or integrating generative AI/ML technologies to streamline incident detection, triage, and remediation workflows.