Cloud Incident Responder, Citi

Citi

Location:
Hungary, Budapest

Category:
IT - Software Development

Contract Type:
Not provided

Salary:

Not provided

Save Job

Apply Position

Job Description:

Citi’s Cloud Incident Response (Cloud IR) team seeks a Cloud Incident Responder to own the assigned security incidents that occur within Citi’s public cloud environments. You will work closely with stakeholders to ensure effective security incident response with an aim to safeguard the integrity of services and data within Citi’s public cloud platforms. Your role is critical in ensuring a proactive and coordinated approach in responding to cloud security incidents and managing security risks in a timely and effective manner. You will align your objectives with the wider Cyber Security Operations priorities at Citi while owning the evolution of our processes, procedures and tools to ensure the firm is ready to tackle critical security incident response challenges within the cloud ecosystem.

Job Responsibility:

Lead and/or support in-depth triage and investigations of assigned cyber incidents in cloud
Perform incident response functions including but not limited to detailed cloud focused investigations by analyzing logs relevant to the underlying cloud service provider (CSP)
Execution of automation to gather forensic artifacts such as memory, disk, etc. for in-depth analysis and investigations
Execution of cloud-native automation to run resource containment actions as relevant to sources of compromise and/or malicious activities in scope
Conduct host-based analytical functions (e.g. digital forensics, metadata and data analysis) to uncover Indicators of Compromise (IOCs) and/or Tactics, Techniques and Procedures (TTPs)
Documentation of investigation analysis objectively capturing the Who, What, When, Where, Why and How related to the incident
Develop, document and maintain operationally effective playbooks to deal with cloud-based incidents
Take ownership for and drive the development of new automation capabilities and supporting playbooks as per assigned domains within cloud
Work with application and infrastructure stakeholders to identify key components and information sources such as cloud environments, instances, middleware, applications, databases, logs, etc.
Collaborate with global multidisciplinary groups for triaging, defining the scope and investigating large-scale security incidents
Build and nurture key stakeholder relationships with partners in the CISO business function that are essential to the IR team success
Actively participate in Threat modeling of new services/capabilities, readiness exercises such as purple team, tabletops, CTF’s etc.

Requirements:

Strong technical expertise in relevant Cloud security tools and technologies (e.g. EDR, SIEM, Container security, SSPM, CNAPP, etc.)
Solid team player with the ability to work in multi-disciplinary team of teams with DevSecOps practitioners
Exceptional communication and presentation skills to simplify and convey complex technical matters to senior security stakeholders and leadership
Strong understanding of security incident response processes, excellent technical documentation skills and proven analytical skills
Deep knowledge of public cloud services that are used in the building blocks of modern cloud-native containerized applications
Advanced proficiency with cloud security focused services such as Guard Duty, SCC, IAM, etc.
Hands-on experience with CI/CD methodologies and tools that support modern deployment practices into public cloud and associated security best practices
Proficient with public cloud services focused on automation such as SSM, Lambda, Cloud Functions, etc.
Experience with various log aggregation/data analytics tools, such as Splunk, Sentinel, etc.
Familiarity with security constructs of SaaS and PaaS offerings such as Snowflake, MongoDB desired
Windows Operating Systems / UNIX specifically in command line use and basic file system knowledge
Prior experience of using security-oriented tools such as Aquasec, Twistlock, Wiz, Lacework, AppOmni, etc. is an advantage
Industry-accredited certifications will be required. Candidates with relevant security certifications (ex: AWS Security Specialty, GCP Professional Security Engineer, CKA/CKS, SC-200, SC-400, AZ-500, etc.) will be preferred. Candidates without certification must be willing to pursue them during employment.

Nice to have:

Familiarity with security constructs of SaaS and PaaS offerings such as Snowflake, MongoDB desired
Prior experience of using security-oriented tools such as Aquasec, Twistlock, Wiz, Lacework, AppOmni, etc. is an advantage

What we offer:

Cafeteria Program
Home Office Allowance (for colleagues working in hybrid work models)
Paid Parental Leave Program (maternity and paternity leave)
Private Medical Care Program and onsite medical rooms at our offices
Pension Plan Contribution to voluntary pension fund
Group Life Insurance
Employee Assistance Program
Access to a wide variety of learning and development programs, online course libraries and upskilling platforms, such as Udemy and Degreed
Flexible work arrangements to support you in managing work - life balance
Career progression opportunities across geographies and business lines
Socially active employee communities with diverse networking opportunities

Additional Information:

Job Posted:
June 05, 2025

Employment Type:

Fulltime

Work Type:

Hybrid work

View All Jobs In This Company

Job Link Share:

Cloud Incident Responder