Threat Detection & Response

Cyber Threat Detection & Response | NYC | $180k + 50% Bonus | Investment Banking | Security

Role : Cyber Threat Detection & Response

Location : Manhattan, NYC

Salary : $160,000 - $180,000 + 30% - 50% Bonus + Benefits

The organization is a global investment and financial services firm with a diversified portfolio across alternative asset management, capital markets, and insurance solutions. Its operating model is built on disciplined investment principles, high‑caliber talent, and long‑term value creation across its businesses and portfolio companies. Affiliates manage investment funds spanning private equity, credit, and real assets, while associated insurance entities provide retirement, life, and reinsurance products.

Technology Team Overview

The Technology organization comprises engineers and product managers dedicated to delivering secure, high‑quality, and scalable solutions that support a sophisticated, globally distributed business. The team values collaboration, continuous learning, and diversity of thought, leveraging its international presence to integrate a broad range of perspectives into product development. Agility, operational rigor, and impact‑driven execution underpin the group’s culture.

Position Overview

The Blue Team Lead serves as the U.S. Regional Lead for complex cyber incidents within the Threat Detection & Response (TD&R) function. This senior role combines hands‑on investigative expertise with responsibility for incident command, containment strategy, stakeholder communication, and organizational readiness.

The environment is transitioning toward a cloud‑first and identity‑first operating model, with increasing emphasis on runtime and SaaS as core investigative surfaces. The role partners closely with a managed security service provider (MSSP), an internal Computer Incident Response Team (CIRT), and engineering teams to drive efficiency, consistency, and quality in incident response.

The Blue Team Lead also works closely with SOC Engineering, defining requirements for automation and AI‑enabled workflows and ensuring that response processes remain reliable under operational pressure.

Key Responsibilities

Incident Leadership & Command (U.S. Regional Lead)

• Serve as the U.S. escalation lead and incident commander for high‑severity cyber incidents, driving response strategy, containment decisions, and cross‑functional coordination through resolution.
• Lead response operations with CIRT, platform teams, cloud teams, identity teams, legal/compliance, and business stakeholders.
• Deliver concise, executive‑ready briefings during active incidents, communicating risk, impact, tradeoffs, and recommended actions.
• Ensure post‑incident reviews are completed and translated into measurable program improvements.

Advanced Investigations (Cloud/Identity/Runtime‑First; Hybrid‑Aware)

• Lead complex investigations across endpoint, network, identity, cloud control plane, SaaS, and on‑prem telemetry.
• Define evidence collection and preservation strategies suitable for hybrid and cloud‑native environments, including ephemeral workloads.
• Produce comprehensive investigative narratives detailing attacker objectives, activity timelines, impacted assets, containment effectiveness, and residual risk.

Readiness, Playbooks & Exercises

• Own and maintain incident response playbooks for scenarios such as ransomware, BEC, cloud account compromise, token/key theft, insider risk, and data exfiltration.
• Lead tabletop exercises and simulations, converting findings into tangible process, tooling, and training improvements.
• Establish escalation criteria and decision frameworks governing severity, containment triggers, business engagement, and recovery priorities.

AI‑Enabled Response & Analyst Acceleration

• Operationalize AI‑supported workflows (summarization, correlation, timeline generation, case documentation) with strong governance, auditability, and human‑approval checkpoints.
• Partner with SOC Engineering to ensure automation and agentic workflows reduce time‑to‑contain and analyst workload without introducing risk or noise.

Continuous Improvement & Partner Management

• Translate incident learnings into durable enhancements for enrichment, routing, prioritization, response plays, and coverage—collaborating with SOC Engineering and the MSSP.
• Contribute to threat‑informed defense efforts by shaping hypotheses and validation priorities derived from real incident patterns and business risk.
• Maintain strong partnership and operating discipline with the MSSP and internal teams to ensure consistent, high‑quality escalations and response execution globally.

Metrics & Reporting

• Help define and track KPIs such as MTTR, MTTC, time‑to‑triage, containment SLA adherence, repeat-incident drivers, and quality of post‑incident actions.
• Provide data‑driven reporting to TD&R leadership on systemic risks, trends, and targeted investment areas.

Qualifications

• 6+ years in Incident Response, Security Operations, or Blue Team roles, with experience leading high‑severity incidents end‑to‑end.
• Demonstrated ability to act as an escalation lead and incident commander with composure in high‑pressure, ambiguous situations.
• Strong communication skills with the ability to deliver clear, actionable updates to executives and stakeholders.
• Experience in cloud‑forward and hybrid environments spanning SaaS, cloud‑native workloads, and on‑premises systems.
• Strong familiarity with identity‑centric investigations (federated identity, IAM abuse, token theft, conditional access signals).
• Working knowledge of cloud‑native architectures (containers, Kubernetes, serverless, CI/CD) and their investigative challenges.
• Experience operating within a hybrid SOC model and partnering with MSSPs.
• Familiarity with MITRE ATT&CK and its application to readiness and validation.
• Experience with automated response workflows (SOAR) and safe automation governance.
• Exposure to AI‑assisted SOC/IR tooling, including auditability and human‑in‑the‑loop considerations.
• Preferred: experience with purple teaming, detection validation, or adversary simulation platforms.
• Preferred: ability to shape engineering roadmaps for telemetry, enrichment, or workflow improvements.

Ideal Candidate Profile

• Incident leader with strong ownership and ability to structure ambiguity.
• Technically deep with strong understanding of attacker behavior and business impact.
• Operationally disciplined , emphasizing repeatable processes and continuous improvement.
• Collaborative and influential , able to align internal teams and the MSSP.
• Future‑focused , comfortable operating in cloud‑first and AI‑enabled environments.

Why This Role

The position offers a significant opportunity to shape incident response outcomes at scale within a sophisticated global environment. The U.S. Regional Lead plays a central role in strengthening readiness, accelerating containment, and modernizing response practices for a cloud‑driven, AI‑enabled future while partnering closely with high‑performing internal and external teams.