What you'd actually do

Lead, mentor, and grow a team of multiple elite Incident Responders.

Partner with Cyber Defense & Response (CDR) leadership to build and implement a forward-looking strategy for our defense capabilities.

Define clear, actionable goals for the team and track success through impactful metrics (MTTD, MTTR) rather than just tracking busywork

Oversee day-to-day cyber operations across multiple defense services, including our Threat Hunting Capabilities

Act as the ultimate escalation point. When a complex, Sev-1 incident hits, you are rolling up your sleeves, guiding the technical investigation, and driving mitigation.

Skills

Required

Incident Response
SOC
Threat Hunting
DFIR
Malware Analysis
Team leadership and mentoring
Cybersecurity strategy development
Incident command and coordination
Automation of security tasks
Understanding of attacker TTPs
Enterprise IT infrastructure knowledge (networking, cloud)
OS security (Windows, Linux, macOS)
IR playbook development and maintenance
Communication and stakeholder management

Nice to have

GCIH
GCFA
OSCP
OSCE
GREM

What the JD emphasized

heavy operational security experience

direct management experience

Proven ability to step into the chaos of a complex, high-impact security incident

Practitioner at Heart

Deep, practical understanding of modern attacker methodologies

Robust understanding of enterprise IT

Solid experience writing, tuning, and maintaining operational IR playbooks

Booking Holdings Romania is a Center of Excellence based in Bucharest, Romania and was created to support the increasing business demands of the Booking Holdings Brands. The Center of Excellence provides access to specialized and highly skilled talent, leading industry best practices, and collaboration opportunities across all of our Brands.

As part of our Booking Holdings Romania team, you will have the opportunity to be a part of the world’s leading provider of online travel, with a mission of making it easier for everyone to experience the world through five-primary consumer facing brands: Booking.com, Priceline, Agoda, KAYAK and OpenTable.

Role description

We aren't just looking for a manager; we are looking for a tactical leader. As the CSIRT Manager at Booking.com, you will own the operational heartbeat of our cyber defense. You will empower a highly skilled team of multiple Incident Responders and Threat Hunters to proactively hunt adversaries and crush high-severity threats before they impact our business. You will drive an automation-first approach, shape our response strategy, and serve as the technical authority when things get critical.

This role provides a hybrid way of working with an onsite presence of 2 days/week.

Key Job Responsibilities and Duties** **

Lead & Empower the Team:

Coach & Scale: Lead, mentor, and grow a team of multiple elite Incident Responders. Build a culture of continuous learning, high performance, and psychological safety.
Own the Roadmap: Partner with Cyber Defense & Response (CDR) leadership to build and implement a forward-looking strategy for our defense capabilities.
Goal Setting & Impact: Define clear, actionable goals for the team and track success through impactful metrics (MTTD, MTTR) rather than just tracking busywork

Drive Operational Excellence:

Command the Operation: Oversee day-to-day cyber operations across multiple defense services, including our Threat Hunting Capabilities
Automate & Optimize: Champion continuous improvement. Relentlessly find opportunities to tune detections, automate repetitive tasks, and streamline our playbooks and workflows.
Stakeholder Alignment: Act as the bridge between technical operations and senior leadership. Provide sharp, granular metrics and clear executive updates that translate technical risk into business impact.

Technical Command & Collaboration:

The Final Escalation: Act as the ultimate escalation point. When a complex, Sev-1 incident hits, you are rolling up your sleeves, guiding the technical investigation, and driving mitigation.
Continuous Testing: Support or Partner with Red, Blue, and Purple teams during live exercises. Use the findings to harden Booking.com’s defenses and close visibility gaps.
Always Ready: Guarantee 24/7 protection of the Booking.com brand by managing the team's out-of-hours scheduling and readiness, while also actively sharing the load by personally providing on-call escalation support (nights, weekends, and holidays) as needed.

Role Qualifications and Requirements

Experience & Leadership

The Baseline: 5 to 8 years of heavy operational security experience (Incident Response, SOC, Threat Hunting, DFIR, Malware Analysis).
Leadership Chops: At least 1 year of direct management experience leading, mentoring, and scaling a team of highly skilled Incident Responders.
Incident Command: Proven ability to step into the chaos of a complex, high-impact security incident, assess risk quickly, and coordinate a decisive response across multiple technical and business units.

Technical Mastery

Practitioner at Heart: You are a leader, but you are still well-plugged into the world of hacking and defense. You can roll up your sleeves to read logs, collect technical evidence, and piece together the full picture of an attack.
Adversary Knowledge: Deep, practical understanding of modern attacker methodologies (TTPs) and how to hunt them using enterprise-grade security tools.
Infrastructure Fluent: Robust understanding of enterprise IT (networking, cloud, virtualization) and deep, advanced knowledge of at least one major OS architecture (Windows, Linux, or macOS).
Process Architect: Solid experience writing, tuning, and maintaining operational IR playbooks, runbooks, and workflow documentation.

Mindset & Qualifications

Education & Certs: A Bachelor’s Degree (or equivalent real-world experience), ideally backed by respected, hands-on technical certifications (e.g., GCIH, GCFA, OSCP, OSCE, GREM, etc.).
Communication: Exceptional interpersonal skills with the ability to translate highly complex technical findings into clear, actionable advice for both technical engineering teams and non-technical stakeholders.
The "Can-Do" DNA: You are a self-starter who takes extreme ownership. You are flexible, solution-oriented rather than problem-oriented, and proactively look for ways to optimize your team's capabilities.
Mission Ready: Willingness to participate in the on-call rotation and work non-standard hours when critical incidents strike.

Benefits & Perk****s

Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide
Working in a fast-paced and performance driven culture
Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation
Competitive compensation and benefits package
Vast amounts of data to validate your ideas and the opportunity to experiment with real users

Booking Holdings is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.

Pre-Employment Screening

If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.