Threat Detection & Response - Blue Team Lead

About The Position

Requirements

• 6+ years in Incident Response, Security Operations, or Blue Team roles, including leading high-severity incidents end-to-end.
• Proven ability to serve as an escalation lead and incident commander—calm, decisive leadership in ambiguous, high-pressure situations.
• Strong communication skills: able to translate complex technical details into clear, actionable updates for executives and stakeholders.
• Experience operating in cloud-forward enterprises, including hybrid environments spanning SaaS, cloud-native workloads, and on-prem systems.
• Strong familiarity with identity-centric security models and investigations (federated identity, IAM abuse patterns, token theft, conditional access signals).
• Working knowledge of cloud-native architectures (containers/Kubernetes, serverless, CI/CD) and the investigative/containment challenges they introduce.
• Experience partnering with MSSPs and distributed teams; comfortable operating in a hybrid SOC model (internal + ReliaQuest).
• Familiarity with MITRE ATT&CK and applying it to investigative thinking, readiness planning, and validation priorities.
• Experience designing, using, or validating automated response workflows (SOAR) and promoting safe automation patterns.
• Exposure to AI-assisted SOC/IR tooling, including governance considerations (data handling, audit logging, human approval, evaluation).

Nice To Haves

• Experience with purple teaming, detection validation, or adversary simulation platforms (e.g., Atomic Red Team, Caldera, Cymulate).
• Ability to influence engineering roadmaps (telemetry, enrichment, workflow improvements) based on operational pain points and incident learnings.

Responsibilities

• Act as U.S. escalation lead / incident commander for high-severity incidents, owning response strategy, containment decisions, and coordination through resolution.
• Lead cross-functional response with internal CIRT, infrastructure/platform teams, cloud teams, identity teams, legal/compliance, and business stakeholders.
• Provide executive-ready briefings and situational updates during active incidents, clearly communicating risk, impact, tradeoffs, and next steps.
• Ensure post-incident reviews are completed and translated into measurable remediation and program improvements.
• Perform and lead advanced investigations across endpoint, network, identity, cloud control plane, SaaS, and (as needed) on-prem telemetry.
• Drive evidence collection and preservation strategies appropriate for hybrid environments, including cloud-native logging and ephemeral workload considerations.
• Develop investigative narratives: attacker objectives, sequence of actions, impacted assets, containment efficacy, and residual risk.
• Own and continuously improve incident response playbooks (e.g., ransomware/extortion, BEC, cloud account compromise, token/key theft, data exfiltration, insider risk).
• Lead and coordinate exercises and simulations; ensure learnings become concrete improvements (process updates, training, tooling enhancements).
• Establish escalation criteria and decision frameworks (severity, containment triggers, business engagement, recovery prioritization).
• Operationalize AI-assisted workflows to improve incident execution (e.g., alert/case summarization, timeline generation, correlation support, case documentation), ensuring strong governance, auditability, and human-in-the-loop controls.
• Partner with SOC Engineering to define requirements and validate that automation/agentic workflows reduce toil and time-to-contain without increasing operational risk or noise.
• Convert incident lessons-learned into durable improvements across enrichment, routing/prioritization, response plays, and coverage enhancements in partnership with SOC Engineering and ReliaQuest.
• Support threat hunting and purple-team efforts by shaping hypotheses and prioritizing validation based on real incident patterns and business risk (enablement and translation to controls - not primary hunt execution).
• Maintain strong operating rhythm with ReliaQuest and internal teams to ensure smooth escalations, clear responsibilities, and consistent response quality globally.
• Help define, track, and improve operational KPIs such as MTTR, MTTC, time-to-triage, containment SLA adherence, repeat-incident drivers, and quality of post-incident actions.
• Provide insight-driven reporting to TD&R leadership on trends, systemic issues, and targeted investments needed to raise response maturity.

Benefits

• Employees may be eligible for a discretionary bonus, based on factors such as individual and team performance.
• KKR is an equal opportunity employer. Individuals seeking employment are considered without regard to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, sexual orientation, or any other category protected by applicable law.