Cybersecurity Incident Commander

We are seeking a Cybersecurity Incident Commander to join SoFi’s Cyber Defense program and lead incident command efforts across the organization. This role will serve as a central driver for security incident response, ensuring effective management of day-to-day incidents as well as large-scale, high-impact cybersecurity events.

The SOC team is responsible for monitoring, analyzing, and responding to security events across SoFi’s infrastructure and applications. As a dedicated incident response resource within Cyber Defense, you will coordinate cross-functional response efforts, maintain incident command structure during active events, and ensure consistent communication, documentation, and resolution tracking.

This is a highly visible role that partners closely with SOC Analysts, Threat Research, Offensive Security, Tools Automation & Operations (TAO), Engineering, IT, Legal, Risk, Executive team, and other stakeholders to drive timely containment, eradication, and recovery. The ideal candidate thrives in fast-paced environments, brings structure to ambiguity, has exceptional communication skills, and can effectively drive complex incidents from detection through post-incident review.

• →

   Serve as the primary Security Incident Commander for security incidents identified by the SOC.

• →

  Lead and manage the end-to-end lifecycle of security incidents, including triage validation, containment, eradication, recovery, and closure.

• →

  Establish and maintain incident command during high-severity or large-scale incidents.

• →

  Drive cross-functional collaboration and decision making across technical and business teams to ensure timely and effective response.

• →

  Facilitate incident communication, coordinate response resources, and maintain clear situational awareness for all engaged.

• →

  Ensure consistent documentation of incident timelines, impact assessments, decisions, evidence chain of custody, and actions taken.

• →

  Develop and maintain incident severity classifications and escalation criteria that are aligned with organizational and business needs and expectations.

• →

  Provide executive-ready status updates and summaries during major incidents. 

• →

  Coordinate post-incident reviews, including root cause analysis, lessons learned, and tracking of remediation actions.

• →

  Identify and facilitate opportunities to improve incident response processes, playbooks, and communication workflows.

• →

  Partner with SOC leadership to enhance incident metrics, reporting, and operational maturity.

• →

  Organize and participate in tabletop exercises, simulations, and readiness activities to improve Cyber Defense and SOC response capabilities. 

• 3–7+ years of experience in cybersecurity operations, incident response, or SOC environments.

• Direct experience coordinating or leading security incident response efforts in enterprise environments.

• Strong understanding of the incident response lifecycle and frameworks (e.g., NIST 800-61).

• Experience handling high-severity incidents such as ransomware, business email compromise, insider threats, cloud compromise, or data exfiltration events.

• Ability to interpret technical findings and translate them into clear, actionable updates for both technical and non-technical stakeholders.

• Excellent written and verbal communication skills, especially in high-pressure situations.

• Strong organizational skills with the ability to manage multiple concurrent incidents.

• Experience facilitating cross-functional communication across various media channels and driving accountability during live incidents.

• Ability to operate independently while collaborating effectively across distributed teams.

• Experience in a formal CSIRT or Incident Commander role.

• Working knowledge of security technologies such as SIEM, EDR, email security, IAM, cloud security controls, and network monitoring tools.

• Knowledge of regulatory and compliance considerations (e.g., financial services, PCI, SOX, GLBA).

• Experience directing or conducting digital forensics or deep technical investigations.

• Familiarity with cloud-native security incident response (AWS, GCP, or Azure).

• Exposure to MITRE ATT&CK framework and threat intelligence integration.

• Relevant certifications such as GCIA, GCIH, GCED, CISSP, CISM, or similar.

• Experience developing or maintaining incident response playbooks and runbooks.