Incident Command & Threat Hunting Operations Manager

Microsoft Microsoft · Big Tech · Redmond, WA +1 · Security Operations Engineering

This role leads incident response and threat hunting operations for Fraud & Abuse Security at Microsoft. It involves managing major incidents, defining threat hunting strategies, and coordinating cross-functional teams to reduce customer and Microsoft harm. The role requires strong leadership, operational excellence, and experience in cybersecurity incident management.

What you'd actually do

  1. Own and evolve the Major Incident governance model, including severity definitions, escalation pathways, and decision authority
  2. Act as incident command authority for high-severity (Sev A / Sev 1) or systemic incidents
  3. Define and operationalize threat hunting strategy and standards across Fraud Ops ecosystems
  4. Lead and develop a team of Major Incident Leads (MILs) or equivalent responders
  5. Lead and develop a team of Threat Hunt Leads (THLs) or equivalent responders

Skills

Required

  • Doctorate in Statistics, Mathematics, Computer Science, or related field OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response

Nice to have

  • Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 6+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection
  • Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 8+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection
  • equivalent experience
  • 1+ year(s) people management and/or team leadership experience, including leading security functions (e.g., SOC, TVM) and multi-disciplinary teams
  • Relevant certifications preferred (CISSP, CISA, CISM, SANS, OSCP, Security+)
  • Experience in incident response, incident command, threat hunting/detection, and Security Operations (SOC/SecOps)
  • Experience managing high-severity incidents and crisis response at scale
  • Understanding of adversary tactics, techniques, and procedures (TTPs), threat intelligence integration, and incident management frameworks (e.g., MFIRP, ICS)
  • Experience leading cross-functional teams in complex environments and fraud/abuse ecosystems (e.g., Azure, M365, Partner Center)
  • Familiarity with Kusto, telemetry analysis, ServiceNow or similar case management platforms, and detection engineering/automation pipelines
  • Experience building operational frameworks, RACI models, and governance structures

What the JD emphasized

  • high-severity
  • threat hunting
  • incident response
  • cross-functional