FreeHire

Microsoft

Incident Command & Threat Hunting Operations Manager

Show
Overview

The Incident Command & Threat Hunting Operations Manager is responsible for leading end-to-end incident response governance and proactive threat detection across Fraud & Abuse Security operations. This role ensures rapid, coordinated response to high-severity incidents while driving threat hunting programs that identify and disrupt adversarial activity before impact.

The role operates at the intersection of incident command, threat intelligence, and operational execution, delivering measurable reduction in customer and Microsoft harm through structured processes, data-driven decision-making, and cross-organizational coordination.



Responsibilities

1. Incident Command Leadership & Governance

  • Own and evolve the Major Incident governance model, including severity definitions, escalation pathways, and decision authority
  • Act as incident command authority for high-severity (Sev A / Sev 1) or systemic incidents
  • Coordinate cross-functional response across engineering, fraud, security, and product teams
  • Ensure incidents are driven to resolution with clear ownership, timelines, and accountability
  • Oversee incident classification, severity validation, and escalation consistency
  • Sponsor and drive post-incident reviews (PIRs) to address root cause and systemic gaps

2. Major Incident Lead Management

  • Lead and develop a team of Major Incident Leads (MILs) or equivalent responders
  • Assign and support leadership coverage across incidents and priority workstreams
  • Coach incident leads on:
    • Command and control execution
    • Prioritization and trade-off decisions
    • Stakeholder alignment and communication
  • Step in to stabilize incidents that stall, escalate improperly, or degrade in quality

3. Threat Hunting Strategy & Execution

  • Define and operationalize threat hunting strategy and standards across Fraud Ops ecosystems
  • Lead proactive hunts targeting:
    • Undetected adversary activity
    • Fraud patterns and abuse campaigns
    • Emerging attack techniques and TTPs
  • Ensure hunts are hypothesis-driven, intelligence-informed, and measurable
  • Drive integration of threat intelligence, telemetry, and analytics into hunting workflows

4. Threat Hunt Lead Management

  • Lead and develop a team of Threat Hunt Leads (THLs) or equivalent responders
  • Assign and support leadership coverage across Hunts and priority workstreams
  • Coach incident leads on:
    • Threat Hunt execution
    • Prioritization and trade-off decisions
    • Stakeholder alignment and communication
  • Step in to stabilize Hunts that stall, escalate improperly, or degrade in quality

5. Incident–Threat Hunting Integration

  • Ensure seamless integration between:
    • Reactive incident response
    • Proactive threat hunting
    • Detection engineering and automation
  • Translate incident learnings into:
    • New detections
    • Hunting hypotheses
    • Process and tooling improvements
  • Drive closed-loop improvement model across incidents and hunts

6. Cross-Organizational Coordination

  • Serve as a central coordination point across:
    • Fraud Operations
    • Cyber Defense Operations
    • Engineering and product teams
    • Threat intelligence and detection teams
  • Mobilize appropriate stakeholders during incidents and threat hunts
  • Ensure consistent execution across distributed teams and geographies

7. Operational Excellence & Metrics

  • Define and track key performance indicators:
    • Time to detect (TTD)
    • Time to mitigate (TTM)
    • Incident containment effectiveness
    • Threat hunting yield and impact
  • Establish audit-ready processes and documentation standards
  • Drive continuous improvement across:
    • Incident lifecycle management
    • Threat detection effectiveness
    • Operational efficiency

8. Strategy, Governance & Risk Reduction

  • Align operations to Fraud-first principles and financial harm reduction
  • Ensure policy alignment, compliance, and enforcement consistency
  • Define operational strategies for:
    • Risk prioritization
    • Resource allocation
    • Capability development (automation, tooling, analytics)
  • Influence roadmap for incident response and threat hunting capabilities

Leadership Expectations

  • Operates as a decisive incident commander under pressure
  • Drives clarity in ambiguity and resolves decision bottlenecks
  • Balances strategic foresight with tactical execution
  • Demonstrates systems thinking across incident response and threat detection
  • Builds high-performing teams and elevates senior IC capability

Impact

  • Reduces customer and Microsoft financial harm
  • Improves time-to-detect and time-to-contain threats
  • Increases operational rigor and audit defensibility
  • Enables scalable, repeatable incident response and threat hunting practices
  • Strengthens Microsoft’s security posture against fraud, abuse, and advanced threats


Qualifications

Required Qualifications

  • Doctorate in Statistics, Mathematics, Computer Science, or related field OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
    • OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 4+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
    • OR equivalent experience.

Preferred Qualifications

  • Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 6+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection
    • OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 8+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection
    • OR equivalent experience.
  • 1+ year(s) people management and/or team leadership experience, including leading security functions (e.g., SOC, TVM) and multi-disciplinary teams.
  • Relevant certifications preferred (CISSP, CISA, CISM, SANS, OSCP, Security+).
  • Experience in incident response, incident command, threat hunting/detection, and Security Operations (SOC/SecOps).
  • Experience managing high-severity incidents and crisis response at scale.
  • Understanding of adversary tactics, techniques, and procedures (TTPs), threat intelligence integration, and incident management frameworks (e.g., MFIRP, ICS).
  • Experience leading cross-functional teams in complex environments and fraud/abuse ecosystems (e.g., Azure, M365, Partner Center).
  • Familiarity with Kusto, telemetry analysis, ServiceNow or similar case management platforms, and detection engineering/automation pipelines.
  • Experience building operational frameworks, RACI models, and governance structures.


Security Operations Engineering M4 - The typical base pay range for this role across the U.S. is USD $119,800.00 - $234,700.00 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $160,200.00 - $261,000.00 per year.

Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here:
https://careers.microsoft.com/us/en/us-corporate-pay


This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.



Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.