• Own and drive the strategy, roadmap, and maturation of LastPass's Security Operations function - translating the threat landscape into a multi-year program plan that scales with the business • Lead all response operations across the full incident lifecycle, from detection and triage through containment, eradication, recovery, and post-incident review • Build, develop, and retain a high-performing team of analysts and engineers - setting clear performance expectations, career development pathways, and a culture of operational excellence • Partner with the CISO, Legal, and Communications to manage high-severity incidents, coordinating executive response and fulfilling regulatory notification obligations • Define and own detection and response program metrics, SLAs, and reporting frameworks - providing the CISO and board with clear, evidence-based visibility into program maturity and risk posture • Champion the integration of AI-assisted triage, automation pipelines, and Detection-as-Code methodologies to reduce analyst toil and drive down mean-time-to-respond • Establish and maintain strategic relationships with external partners - including threat intelligence vendors, law enforcement, and industry information-sharing groups — to strengthen LastPass's situational awareness • Collaborate across Business Technology, Cloud Security, and Platform Engineering to ensure cohesive detection coverage and coordinated response capability across the full technology estate

Role Description The Incident Response Defensive Operations (IRDO) team is seeking a highly experienced, technically strong Lead Security Engineer to drive the design, development, and evolution of our Cybersecurity Incident Response capabilities. This role is intended for a hands-on leader who operates at the intersection of incident response, detection engineering, and security architecture. You will partner closely with Incident Response, and the Threat Detection and Engineering (TIDE) teams to build scalable solutions that improve detection, response, and containment across the enterprise. In addition to leading high-impact engineering initiatives, you will play a critical role in shaping strategy, defining technical standards, and ensuring the IR program can effectively defend against evolving threats. As part of this role, you will also be a key contributor to the CSIRT Defense Profiling program, driving improvements in detection coverage, response capability, and defensive maturity across core domains including email, applications, networks, and endpoints. What You'll Do: - Lead the design and implementation of scalable incident response capabilities, including detection, containment, and response automation. - Architect and develop advanced automation frameworks to reduce response time, eliminate manual effort, and improve consistency across IR workflows. - Identify systemic gaps in detection, visibility, and response capabilities; drive engineering efforts to close them. - Own and deliver complex, cross-functional initiatives that enhance IR tooling, telemetry, and operational effectiveness. - Partner closely with TIDE to define detection requirements, improve signal quality, and operationalize new detections within IR workflows. - Establish and enforce engineering standards, best practices, and design patterns for IR tooling and automation. - Contribute to and help evolve the CSIRT Defense Profiling program, including modeling detection and response coverage across key attack surfaces. - Serve as the EU-based lead for CSIRT activities subject to data sovereignty constraints, directly supporting investigations that require EU presence and designing processes, controls, and automations to ensure compliant handling, analysis, and storage of sensitive data. - Provide technical leadership and mentorship to engineers and analysts, elevating overall team capability. - Act as a senior escalation point for complex incidents requiring deep technical expertise or custom response solutions. - Continuously evaluate emerging threats, tools, and techniques to ensure IR capabilities remain effective and forward-looking. Qualifications - Bachelor’s Degree (or equivalent experience) in Computer Science, Cybersecurity, or a related field. - 7+ years of experience in cybersecurity engineering, incident response, or detection engineering (or equivalent combination of education and experience). - Proven experience designing and building security tooling, automation, or detection systems at scale. Requirements - Strong experience with incident response processes, including detection, triage, containment, and remediation. - Deep understanding of operating systems (macOS, Linux, Windows), networking, and attacker tradecraft. - Hands-on experience building automation using tools such as TINES, SOAR platforms, AWS Lambda, or custom scripting frameworks. - Experience integrating and leveraging SIEM/XDR platforms (e.g., Splunk, LogScale, Falcon, etc.). - Ability to translate operational needs into scalable technical solutions and architectures. - Strong software engineering fundamentals (clean code, modular design, maintainability). - Excellent problem-solving skills with the ability to operate in complex, ambiguous environments. - Strong communication skills with the ability to influence technical and non-technical stakeholders. - Ability to lead initiatives, align cross-functional teams, and drive outcomes independently. - High level of ownership, accountability, and attention to detail. Bonus Points: - Strong scripting or programming experience (e.g., Python, Go, PowerShell, Bash). - Experience with detection engineering frameworks (e.g., MITRE ATT&CK) and coverage modeling. - Familiarity with attack surface management concepts and methodologies. - Experience with cloud security (AWS, GCP, Azure) and modern infrastructure environments. - Experience mentoring or leading engineers in a technical environment. - Familiarity with data sovereignty and privacy frameworks (e.g., GDPR) and their impact on incident response operations. - Relevant security certifications (e.g., GCIA, GCIH, CISSP). Benefits - Market leader in compensation and equity awards. - Comprehensive physical and mental wellness programs. - Competitive vacation and holidays for recharge. - Paid parental and adoption leaves. - Professional development opportunities for all employees regardless of level or role. - Employee Networks, geographic neighborhood groups, and volunteer opportunities to build connections. - Vibrant office culture with world class amenities. - Great Place to Work Certified™ across the globe.

• Work closely with system owners to ingest new log feeds for security monitoring • Enhance and maintain our Detection and Response platforms • Build in workflows with AI analysis to automatically investigate and triage issues • Be on the frontlines of Incident Response, actively investigating issues and protecting Upstart • Build common response workflows to expedite investigation and response using AI and SOAR Technology

• Manage onboarding activities for logging systems • Collaborate with stakeholders to ensure successful integration • Troubleshoot and resolve issues related to log ingestion • Document and report on coordination activities • Participate in process standardization initiatives