Director, Security Incident Response

Company Overview

Job Overview

You will lead the organization responsible for security incident response, bringing together monitoring, detection engineering, investigations, containment/eradication, and validation of defensive capabilities. Your mission is to reduce business impact from incidents while continuously proving and improving defensive capability through measurable outcomes (for example: MTTD/MTTR improvement and validated detection coverage).

Responsibilities

Lead Incident Response & Security Operations Outcomes

• Own the end-to-end incident lifecycle: triage, investigation, containment, eradication, recovery, and post-incident review, including evidence handling and executive communications.

• Run and mature monitoring, triage, and escalation processes, ensuring consistent severity classification and fast, repeatable response.

• Partner with engineering, on-call operations, and security stakeholders to drive durable remediation and prevent recurrence (lessons learned into controls, detections, and playbooks).

• Scale detection AI-enabled engineering and response to reduce analyst toil and shrink time-to-containment.

Defensive Capability Validation and Testing

• Run continuous, scoped validation of defensive controls using targeted attack-surface tests and technique-level checks.

• Oversee penetration testing management, including coverage planning, vendor governance, retesting, and cost control.

Strategy, Metrics, and Executive Reporting

• Establish a metrics program covering MTTD, MTTR, containment speed, detection quality, ATT&CK-informed coverage, and remediation SLAs, with board-ready narratives.

• Provide regular incident and validation readouts to executive and product leadership to support risk-based decision-making.

• Coordinate with GRC/Legal to support breach notification obligations and provide incident evidence for audits and compliance.

Build the Team & Operating Model

• Lead managers and senior ICs across SOC/IR, detection engineering, automation, and adversary management/validation.

• Set on-call and incident command expectations, develop career paths, hire and retain talent, and manage budget and tooling (SIEM/SOAR/EDR, threat intel, validation platforms).

Qualifications

Minimum Qualifications

• 10+ years in security with significant depth in incident response and security operations, including leading major incidents as an incident commander.

• Strong technical knowledge across cloud and enterprise environments (identity, endpoints, network, logging/telemetry, and common attacker tradecraft).

• Proven ability to brief executives clearly during high-pressure events and drive alignment across engineering, IT, legal, and risk stakeholders.

Preferred Qualifications

• Hands-on expertise with SIEM/SOAR engineering, detection-as-code, and automation; familiarity with MITRE ATT&CK and threat-informed defense measurement.

How Success Will Be Measured

• Reduced MTTD/MTTR and fewer repeat incident classes due to durable fixes.

• Increased validated detection/response coverage and signal quality, with faster containment.

Working Relationships

Close partnership with Cloud Operations, Product Security, Identity/Endpoint teams, and GRC/Legal for incident coordination, evidence handling, and reporting.

Intuit provides a competitive compensation package with a strong pay for performance rewards approach. This position may be eligible for a cash bonus, equity rewards and benefits, in accordance with our applicable plans and programs (see more about our compensation and benefits at Intuit®: Careers | Benefits). Pay offered is based on factors such as job-related knowledge, skills, experience, and work location. To drive ongoing fair pay for employees, Intuit conducts regular comparisons across categories of ethnicity and gender. The expected base pay range for this position in Mountain View, CA is: $307,000 - $415,500.