Principal Incident Responder

About The Position

Requirements

• You have run material incidents at companies with sophisticated threat models, as the most senior commander on the call.
• You have made disclosure-grade calls under regulatory and customer reporting clocks.
• You have written runbooks that other engineers followed under pressure, and rewritten them after they did not work.
• You have built operational processes from the ground up in environments where structure did not previously exist.
• You read the agent-first thesis as one of the most interesting design choices in incident response today.
• You have well-founded opinions on what makes a runbook actually used or an incident response process actually effective.
• You move fluently between technical containment and executive, legal, or customer-facing conversations during a declared incident.
• You see what is needed, scope it yourself, and run with it.

Nice To Haves

• Experience running incidents that bridge cyber, physical, and OT or ICS surfaces.
• Experience at critical-infrastructure operators, data centers, or industrial environments.
• Experience designing or operating agent-augmented incident response, including triage, investigation, or response automation.
• Experience tuning LLM-based IR systems against measured precision and recall.

Responsibilities

• Run material incidents as incident commander, coordinating across detection, response, physical security, data center operations, legal, communications, and customers.
• Build the IR program: runbook standards, severity definitions, materiality methodology, evidence contracts, and post-incident review cadence.
• Define the agent-human contract for response: escalation criteria, evidence packages required from agents, and human verdict feedback into agent quality.
• Design and operate the senior-IR on-call rotation (ack SLAs, escalation chain, fan-out logic) and remain an active senior IC inside it.
• Analyze incident trends and patterns to surface systemic risks and recurring root causes, and turn the learnings into runbook, detection, or program improvements.
• Drive cross-functional follow-through after every significant incident, tracking remediation and systemic fixes to completion across detection, response, infrastructure, and other teams.
• Define and track the IR program’s KPIs and report on them to security and engineering leadership.
• Set the tabletop and exercise cadence for IR readiness, executive crisis-comms, and audit-readiness drills.
• Carry the external face of IR for regulatory and customer disclosure obligations, and audit responses.

Benefits

• Competitive total compensation package (salary + equity)
• Retirement or pension plan, in line with local norms
• Health, dental, and vision insurance
• Generous PTO policy, in line with local norms
• Total compensation may also include equity in the form of stock options.