Lead Security Incident Response Engineer

About the Role:

Motive is looking for a passionate Lead Security Incident Response Engineer to join our Security Engineering team. This team is responsible for the overall security and privacy of all products and services offered by the company. As the Lead Incident Response Engineer, you will be a foundational member, focused on designing, building, and maturing our incident detection and response program. You will be responsible for creating and implementing strategies to identify, analyze, contain, eradicate, and recover from security incidents effectively. This role requires a blend of hands-on technical expertise, strategic program development, and strong cross-functional collaboration.

In this position you will be expected to:

• Design, implement, and continuously improve our incident detection and response capabilities, including security monitoring, alert tuning, and threat hunting.
• Develop and refine incident response policies, processes, and playbooks.
• Lead technical investigations into security incidents from initial alert through to post-mortem analysis and remediation.
• Drive automation initiatives within the incident response lifecycle, leveraging scripting and SOAR platforms to enhance efficiency and reduce manual effort.
• Collaborate closely with engineering, operations, and product teams to integrate security best practices, enhance logging, and ensure swift remediation of vulnerabilities identified during incidents.
• Contribute to the continuous improvement of our security posture by identifying systemic weaknesses and advocating for preventative controls.

What you’ll do:

• Build, mature, and operate a robust incident detection and response program, encompassing people, processes, and technology.
• Develop and implement advanced detection methodologies, rules, and alerts to identify sophisticated threats rapidly.
• Lead and manage the full lifecycle of security incidents, from initial detection and triage to containment, eradication, recovery, and thorough post-incident review.
• Architect and implement security automation solutions to streamline incident response workflows, enrich alerts, and facilitate faster remediation.
• Proactively engage in threat hunting activities to uncover hidden threats and vulnerabilities across our multi-cloud environment.
• Provide expertise and guidance during critical security events, acting as a primary point of contact for technical incident management.
• Document incident findings, lessons learned, and contribute to the development of actionable intelligence to prevent future occurrences.

What we’re looking for:

• Proven ability to manage yourself, prioritize tasks, and produce high-quality results in a fast-paced environment.
• 5+ years of experience in incident response, security operations, or a closely related security discipline.
• Strong proficiency in scripting languages (e.g., Python, Go, PowerShell) for automation, data analysis, and security tooling development.
• In-depth understanding and hands-on experience with security tooling and platforms, including SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), EDR (Endpoint Detection and Response), network forensics tools, and cloud security monitoring solutions.
• Demonstrated experience building, maturing, and scaling incident response programs, including detection engineering, playbook development, and conducting incident post-mortems.
• Expert knowledge of common attack techniques (e.g., MITRE ATT&CK framework), threat intelligence methodologies, and digital forensics principles.
• Strong understanding of cloud security best practices and experience securing environments in public clouds (AWS, Azure, GCP).
• Experience with container orchestration technologies (Docker, Kubernetes) and securing microservices architectures.
• Strong communication and collaboration skills, comfortable working cross-functionally with a track record of delivering results.
• Ability to design and write program/design specifications for self and others, with a focus on comprehensive documentation.
• Self-starting and independent; able to manage and drive complex projects to completion based on defined specifications.
• Able to work across team boundaries, reach consensus amongst disparate viewpoints, and graciously receive feedback.
• Understanding of data structures and their application in security analytics and incident investigations.

As a bonus:

• Relevant industry certifications (e.g., GCIH, GCFA, GCTI, CySA+, CISSP).
• Experience in a highly regulated industry or with compliance frameworks (e.g., SOC 2, ISO 27001).
• Familiarity with serverless architectures and their security implications.