What you'd actually do

Command the highest severity and most complex security incidents across Uber and its subsidiaries, serving as the single accountable leader during active response.

Participate in an on-call rotation where you are expected to make real-time decisions with incomplete information, balancing speed, risk, and impact.

Act as the incident authority, not just a facilitator - forming hypotheses, setting strategy, and directing investigative focus.

Transition seamlessly between executive-level incident leadership and hands-on technical investigation, including log analysis, system interrogation, and root cause validation.

Serve as the primary interface to senior leadership during critical incidents, translating evolving technical realities into clear risk, impact, and decision frameworks.

Skills

Required

Security operations, detection, or incident response at scale
Technical investigation skills
Executive briefing during incidents
Incident simulation design/execution
Building or leveraging AI-driven tooling for incident response

Nice to have

Leading responders
Technical mentorship
Bias for action and continuous improvement
Experience in distributed, cloud-scale environments
Broad security domain knowledge
Scripting or coding (Python, Go, or similar)

What the JD emphasized

ownership of ambiguous, large, complex, high-impact incidents

Deep familiarity with modern attacker TTPs

Strong technical investigation skills

Experience briefing executives during active incidents

Experience designing or running technical incident simulations

Experience building or leveraging AI-driven tooling to improve incident response posture, applying frontier technology to workflows such as triage, investigation, correlation, or decision support.

About the Role

As a Senior Security Technologist, Incident Command, you are accountable for leading Uber’s most critical, complex, and high-impact security incidents end-to-end - from escalation to containment, recovery, and systemic remediation.

You operate at the intersection of Fire Captain, NTSB Investigator, and hands-on technical practitioner. In the moment, you take command - setting strategy, assigning resources, and making high-consequence decisions under pressure. After the smoke clears, you drive deep technical investigation and post-incident analysis to ensure we understand not just what happened, but why it happened, and that meaningful, durable fixes are made.

This is not a passive coordination role. You are expected to be technically credible, decisive in ambiguity, and comfortable owning outcomes when there is no playbook. You will shape how Uber responds to security incidents at scale - raising the technical bar, building and modernizing tooling and workflows, and influencing teams beyond Engineering Security.

What the Candidate Will Need / Bonus Points

---- What the Candidate Will Do ----

Command the highest severity and most complex security incidents across Uber and its subsidiaries, serving as the single accountable leader during active response.
Participate in an on-call rotation where you are expected to make real-time decisions with incomplete information, balancing speed, risk, and impact.
Act as the incident authority, not just a facilitator - forming hypotheses, setting strategy, and directing investigative focus.
Transition seamlessly between executive-level incident leadership and hands-on technical investigation, including log analysis, system interrogation, and root cause validation.
Serve as the primary interface to senior leadership during critical incidents, translating evolving technical realities into clear risk, impact, and decision frameworks.
Build and maintain strong working relationships with global engineering, infrastructure, legal, privacy, and operations teams to enable fast, coordinated response.
Conduct rigorous post-incident analysis in the spirit of an NTSB investigation - focused on systemic causes, contributing factors, and concrete prevention.
Mentor and develop other responders and incident leaders, raising the organization’s ability to handle complex, time-critical security events.
Lead and materially contribute to initiatives that mature Uber’s incident response program, including:
High-fidelity incident simulations and technical tabletop exercises
Threat-informed response planning and scenario development
‘Left of boom’ threat modeling to prevent incidents before they occur
Improvements to detection, containment, and response automation
Adoption of new investigative techniques and tooling, including AI-assisted workflows

---- Basic Qualifications ----

5+ years in security operations, detection, or incident response roles at scale, with demonstrated ownership of ambiguous, large, complex, high-impact incidents.
Deep familiarity with modern attacker TTPs and how they manifest across logs, systems, networks, endpoints, and applications.
Strong technical investigation skills - comfortable working directly with logs, telemetry, and raw system data to validate hypotheses and determine root cause.
Experience briefing executives during active incidents, with the ability to clearly explain tradeoffs, risks, and recommended actions.
Experience designing or running technical incident simulations (tabletops, purple team exercises, or similar) that stress real-world response capabilities.
Experience building or leveraging AI-driven tooling to improve incident response posture, applying frontier technology to workflows such as triage, investigation, correlation, or decision support.

---- Preferred Qualifications ----

Demonstrated experience leading other responders through direct command during incidents and longer-term technical mentorship.
Strong bias for action and continuous improvement - uncomfortable with leaving with a shrug if things aren’t right.
Experience responding to incidents in highly distributed, cloud-scale environments where blast radius and coordination complexity are significant.
Broad security domain knowledge (infrastructure, endpoint, product, identity, data) and the ability to reason across them during incidents.
Ability to script or code (Python, Go, or similar) to automate response tasks, prototype tooling, or close operational gaps.

For San Francisco, CA-based roles: The base salary range for this role is USD$180,000 per year - USD$200,000 per year.

For Seattle, WA-based roles: The base salary range for this role is USD$180,000 per year - USD$200,000 per year.

For Sunnyvale, CA-based roles: The base salary range for this role is USD$180,000 per year - USD$200,000 per year.

For all US locations, you will be eligible to participate in Uber's bonus program, and may be offered an equity award & other types of comp. All full-time employees are eligible to participate in a 401(k) plan. You will also be eligible for various benefits. More details can be found at the following link https://jobs.uber.com/en/benefits.

Uber's mission is to reimagine the way the world moves for the better. Here, bold ideas create real-world impact, challenges drive growth, and speed fuels progress. What moves us, moves the world - let's move it forward, together.

Uber is proud to be an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to sex, gender identity, sexual orientation, race, color, religion, national origin, disability, protected Veteran status, age, or any other characteristic protected by law. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you have a disability or special need that requires accommodation, please let us know by completing this form.

Offices continue to be central to collaboration and Uber's cultural identity. Unless formally approved to work fully remotely, Uber expects employees to spend at least half of their work time in their assigned office. For certain roles, such as those based at green-light hubs, employees are expected to be in-office for 100% of their time. Please speak with your recruiter to better understand in-office expectations for this role.