Posted:
7/2/2026, 7:36:41 PM
Experience Level(s):
Expert or higher ⋅ Senior
Field(s):
IT & Security
Workplace Type:
On-site
Citi's Cloud Incident Response (Cloud IR) team is seeking an expert Cloud Incident Responder (VP) to take a leading role in strategically managing and responding to security incidents across our vast and dynamic technology landscape. You will be at the forefront of protecting Citi's critical assets, including our multi-cloud environments on AWS and GCP, and vital data platforms like Snowflake and Databricks. Your leadership will be crucial in safeguarding the integrity of our services and the trillions of dollars that flow through our network daily.
In this role, you will work with global stakeholders to drive the evolution of our security processes, procedures, and cutting-edge tools. You will ensure the firm is prepared to meet the most critical security challenges in an evolving cloud ecosystem.
Responsibilities:
As a Cloud Incident Responder, you will perform a full range of incident response functions, including but not limited to:
Lead and Build Response Automation: Architect, refine, and champion the development of cutting-edge incident response playbooks and automation capabilities, with a primary focus on enhancing our response mechanisms for Databricks and Snowflake.
Conduct In-Depth Investigations: Perform detailed, cloud-focused investigations by analyzing logs and telemetry from Cloud Service Providers (AWS, GCP), data platforms (Snowflake, Databricks), and enterprise SaaS applications (M365).
Orchestrate Forensic Analysis: Coordinate the execution of automated workflows to gather critical forensic artifacts (memory, disk, cloud resource configurations) for in-depth analysis.
Implement Cloud-Native Containment: Oversee the use of cloud-native automation to execute decisive containment actions across compromised environments, including sensitive data platforms.
Proactive Threat Hunting: Conduct advanced host-based and cloud-native analysis (digital forensics, metadata analysis) to proactively uncover Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs).
Strategic Collaboration: Engage with application, infrastructure, and business stakeholders to identify key information sources and influence security architecture decisions.
Meticulous Documentation: Ensure detailed and actionable documentation for every incident, capturing the Who, What, When, Where, Why, and How to drive continuous improvement.
Threat Modeling: Actively participate in threat modeling exercises for new services and capabilities, including purple team, tabletop, and CTF exercises.
Required Qualifications & Experience
6-10 years of relevant experience in Cloud Security, Cybersecurity, and/or Incident Response.
Demonstrated hands-on security expertise in major cloud platforms such as AWS and GCP.
Proven experience with security constructs and incident response within SaaS/PaaS offerings and data platforms like Snowflake and Databricks.
Strong problem-solving capabilities with an in-depth understanding of security incident response processes and proven analytical skills to tackle complex security challenges.
Experience with log aggregation and security analytics tools (e.g., Splunk, Sentinel, Chronicle).
Excellent technical documentation and communication skills.
Ability to operate independently with minimal oversight while dealing with complex technical analysis.
Highly Preferred Qualifications
Deep expertise in Databricks and Snowflake security, including hands-on experience in monitoring, threat detection, building response playbooks, and automation.
Security-specific certifications related to Databricks, Snowflake, or other major cloud platforms (e.g., AWS Certified Security - Specialty, Google Professional Cloud Security Engineer).
Hands-on experience with cloud-native security posture and tooling platforms (e.g., Wiz, Aquasec, AppOmni) is a strong advantage.
Education
Bachelor's degree/University degree or equivalent experience is required.
A Master's degree in a related field is preferred.
This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.
If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.
View Citi’s EEO Policy Statement and the Know Your Rights poster.
Website: https://www.citigroup.com/
Headquarter Location: New York, United States
Employee Count: 10001+
Year Founded: 1812
IPO Status: Public
Last Funding Type: Post-IPO Debt
Industries: Banking ⋅ Credit Cards ⋅ Financial Services ⋅ Wealth Management