Job description

Citi's Cloud Incident Response (Cloud IR) team seeks a Cloud Incident Responder (VP) to own and strategically lead security incident response within Citi's dynamic public cloud environments and critical SaaS/PaaS platforms. Every day, $5 trillion crosses through our network across 180+ countries — and your leadership will be central to protecting it.

You will work closely with global stakeholders to ensure robust and effective security incident response, safeguarding the integrity of cloud based services and data across Citi's diverse technology footprint — including cloud-native databases like Snowflake and MongoDB, and enterprise productivity suites like M365. Your leadership is critical in establishing a proactive and coordinated approach to responding to sophisticated cloud security incidents and strategically managing security risks in a timely and effective manner.

You will align your objectives with the wider Cyber Security Operations priorities at Citi, driving the evolution of our processes, procedures, and cutting-edge tools to ensure the firm is ready to tackle the most critical security incident response challenges within the evolving cloud ecosystem and beyond.

Responsibilities:

Perform incident response functions including but not limited to:

• Detailed cloud-focused investigations by analyzing logs from CSPs, Snowflake, MongoDB, and M365 security platforms.
• Orchestrating the execution of automation to gather forensic artifacts (memory, disk, cloud resource configurations) for in-depth analysis.
• Implementing and overseeing cloud-native automation for decisive resource containment actions across compromised environments, including data platforms.
• Conducting advanced host-based and cloud-native analytical functions (digital forensics, metadata analysis) to proactively uncover Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).
• Ensuring meticulous documentation capturing the Who, What, When, Where, Why and How of each incident, with a focus on actionable insights.
• Architect, refine, and champion cutting-edge incident response playbooks that proactively address emerging threats across cloud, SaaS, PaaS, and M365 ecosystems, driving operational excellence and swift resolution.
• Take ownership for and innovate the development of new automation capabilities and supporting playbooks across assigned cloud and enterprise SaaS/PaaS domains, fostering a culture of continuous improvement.
• Collaborate strategically with application and infrastructure stakeholders to identify key components and information sources — cloud environments, instances, middleware, applications, databases (Snowflake, MongoDB), M365 logs — influencing security architecture decisions.
• Engage with global multidisciplinary groups for triaging, defining scope, and investigating large-scale security incidents impacting diverse cloud and enterprise systems, acting as a central coordinator and trusted advisor to the CISO business function.
• Actively participate in threat modeling of new services and capabilities, readiness exercises such as purple team, tabletops, and CTFs — especially those involving cloud data, Snowflake, MongoDB, and M365 security scenarios — sharing expertise and influencing strategy.

Qualifications:

• 6-10 years of relevant experience in Cloud Security and/or Incident Response
• Demonstrated technical expertise and genuine interest in Cloud security-focused services, tools, technologies and wider ecosystem
• Hands-on experience with security constructs and incident response within SaaS/PaaS offerings — specifically Snowflake, MongoDB, and M365 Security — including monitoring, threat detection, and response capabilities within these platforms
• Problem-solving capabilities with a strong understanding of security incident response processes, excellent technical documentation skills, and proven analytical skills to tackle novel, complex security challenges
• Experience with any log aggregation & analytics tools such as Splunk, Sentinel, Chronicle and understanding of specific logging/auditing features of Snowflake, MongoDB, and M365
• Security Tooling Experience with Aquasec, Wiz, AppOmni or similar cloud-native security platforms is a strong advantage
• Ability to operate independently with minimal oversight when dealing with technical analysis
• Relevant cloud focused certifications and accreditations are preferable, but not mandatory

Education:

• Bachelor’s degree/University degree or equivalent experience
• Master’s degree preferred

This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.