New job, posted less than a week ago!
Job Details
Posted date: Jun 18, 2026
Category: Security Operations Engineering
Location: Redmond, WA
Estimated salary: $190,400
Range: $119,800 - $261,000
Employment type: Full-Time
Work location type: 3 days / week in-office
Role: People Manager
Description
OverviewThe Incident Command & Threat Hunting Operations Manager is responsible for leading end-to-end incident response governance and proactive threat detection across Fraud & Abuse Security operations. This role ensures rapid, coordinated response to high-severity incidents while driving threat hunting programs that identify and disrupt adversarial activity before impact.
The role operates at the intersection of incident command, threat intelligence, and operational execution, delivering measurable reduction in customer and Microsoft harm through structured processes, data-driven decision-making, and cross-organizational coordination.
Responsibilities
1. Incident Command Leadership & Governance
Own and evolve the Major Incident governance model, including severity definitions, escalation pathways, and decision authorityAct as incident command authority for high-severity (Sev A / Sev 1) or systemic incidentsCoordinate cross-functional response across engineering, fraud, security, and product teamsEnsure incidents are driven to resolution with clear ownership, timelines, and accountabilityOversee incident classification, severity validation, and escalation consistencySponsor and drive post-incident reviews (PIRs) to address root cause and systemic gaps2. Major Incident Lead Management
Lead and develop a team of Major Incident Leads (MILs) or equivalent respondersAssign and support leadership coverage across incidents and priority workstreamsCoach incident leads on:Command and control executionPrioritization and trade-off decisionsStakeholder alignment and communicationStep in to stabilize incidents that stall, escalate improperly, or degrade in quality3. Threat Hunting Strategy & Execution
Define and operationalize threat hunting strategy and standards across Fraud Ops ecosystemsLead proactive hunts targeting:Undetected adversary activityFraud patterns and abuse campaignsEmerging attack techniques and TTPsEnsure hunts are hypothesis-driven, intelligence-informed, and measurableDrive integration of threat intelligence, telemetry, and analytics into hunting workflows4. Threat Hunt Lead Management
Lead and develop a team of Threat Hunt Leads (THLs) or equivalent respondersAssign and support leadership coverage across Hunts and priority workstreamsCoach incident leads on:Threat Hunt executionPrioritization and trade-off decisionsStakeholder alignment and communicationStep in to stabilize Hunts that stall, escalate improperly, or degrade in quality5. Incident–Threat Hunting Integration
Ensure seamless integration between:Reactive incident responseProactive threat huntingDetection engineering and automationTranslate incident learnings into:New detectionsHunting hypothesesProcess and tooling improvementsDrive closed-loop improvement model across incidents and hunts6. Cross-Organizational Coordination
Serve as a central coordination point across:Fraud OperationsCyber Defense OperationsEngineering and product teamsThreat intelligence and detection teamsMobilize appropriate stakeholders during incidents and threat huntsEnsure consistent execution across distributed teams and geographies7. Operational Excellence & Metrics
Define and track key performance indicators:Time to detect (TTD)Time to mitigate (TTM)Incident containment effectivenessThreat hunting yield and impactEstablish audit-ready processes and documentation standardsDrive continuous improvement across:Incident lifecycle managementThreat detection effectivenessOperational efficiency8. Strategy, Governance & Risk Reduction
Align operations to Fraud-first principles and financial harm reductionEnsure policy alignment, compliance, and enforcement consistencyDefine operational strategies for:Risk prioritizationResource allocationCapability development (automation, tooling, analytics)Influence roadmap for incident response and threat hunting capabilitiesLeadership Expectations
Operates as a decisive incident commander under pressureDrives clarity in ambiguity and resolves decision bottlenecksBalances strategic foresight with tactical executionDemonstrates systems thinking across incident response and threat detectionBuilds high-performing teams and elevates senior IC capabilityImpact
Reduces customer and Microsoft financial harmImproves time-to-detect and time-to-contain threatsIncreases operational rigor and audit defensibilityEnables scalable, repeatable incident response and threat hunting practicesStrengthens Microsoft’s security posture against fraud, abuse, and advanced threats
Qualifications
Required Qualifications
Doctorate in Statistics, Mathematics, Computer Science, or related field OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 4+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR equivalent experience.Preferred Qualifications
Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 6+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 8+ years experience in software development lifecycle, large scale computing, threat modeling, cyber security, or anomaly detection OR equivalent experience.1+ year(s) people management and/or team leadership experience, including leading security functions (e.g., SOC, TVM) and multi-disciplinary teams.Relevant certifications preferred (CISSP, CISA, CISM, SANS, OSCP, Security+).Experience in incident response, incident command, threat hunting/detection, and Security Operations (SOC/SecOps).Experience managing high-severity incidents and crisis response at scale.Understanding of adversary tactics, techniques, and procedures (TTPs), threat intelligence integration, and incident management frameworks (e.g., MFIRP, ICS).Experience leading cross-functional teams in complex environments and fraud/abuse ecosystems (e.g., Azure, M365, Partner Center).Familiarity with Kusto, telemetry analysis, ServiceNow or similar case management platforms, and detection engineering/automation pipelines.Experience building operational frameworks, RACI models, and governance structures.
Security Operations Engineering M4 - The typical base pay range for this role across the U.S. is USD $119,800.00 - $234,700.00 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $160,200.00 - $261,000.00 per year.
Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here:
https://careers.microsoft.com/us/en/us-corporate-pay
This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.
Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.