Senior Security Incident Commander

About the Role

As a Senior Security Technologist, Incident Command, you are accountable for leading Ubers most critical, complex, and high-impact security incidents end-to-end - from escalation to containment, recovery, and systemic remediation. You operate at the intersection of Fire Captain, NTSB Investigator, and hands-on technical practitioner. In the moment you take command - setting strategy, assigning resources, and making high-consequence decisions under pressure. After the smoke clears, you drive deep technical investigation and post-incident analysis to ensure we understand not just what happened but why it happened and that meaningful, durable fixes are made.

This is not a passive coordination role. You are expected to be technically credible, decisive in ambiguity, and comfortable owning outcomes when there is no playbook. You will shape how Uber responds to security incidents at scale - raising the technical bar, building and modernizing tooling and workflows, and influencing teams beyond Engineering Security.

What the Candidate Will Need

Bonus Points ------------

• Command the highest severity and most complex security incidents across Uber and its subsidiaries, serving as the single accountable leader during active response.
• Participate in an on-call rotation where you are expected to make real-time decisions with incomplete information, balancing speed, risk, and impact.
• Act as the incident authority, not just a facilitator - forming hypotheses, setting strategy, and directing investigative focus.
• Transition seamlessly between executive-level incident leadership and hands-on technical investigation, including log analysis, system interrogation, and root cause validation.
• Serve as the primary interface to senior leadership during critical incidents, translating evolving technical realities into clear risk, impact, and decision frameworks.
• Build and maintain strong working relationships with global engineering, infrastructure, legal, privacy, and operations teams to enable fast, coordinated response.
• Conduct rigorous post-incident analysis in the spirit of an NTSB investigation - focused on systemic causes, contributing factors, and concrete prevention.
• Mentor and develop other responders and incident leaders, raising the organizations ability to handle complex, time-critical security events.
• Lead and materially contribute to initiatives that mature Ubers incident response program, including:
• High-fidelity incident simulations and technical tabletop exercises
• Threat-informed response planning and scenario development
• Left of boom threat modeling to prevent incidents before they occur
• Improvements to detection, containment, and response automation
• Adoption of new investigative techniques and tooling, including AI-assisted workflows

Basic Qualifications -------------------

1. 5 years in security operations, detection, or incident response roles at scale, with demonstrated ownership of ambiguous, large, complex, high-impact incidents.
2. Deep familiarity with modern attacker TTPs and how they manifest across logs, systems, networks, endpoints, and applications.
3. Strong technical investigation skills - comfortable working directly with logs, telemetry, and raw system data to validate hypotheses and determine root cause.
4. Experience briefing executives during active incidents, with the ability to clearly explain tradeoffs, risks, and recommended actions.
5. Experience designing or running technical incident simulations, tabletops, purple team exercises, or similar that stress real-world response capabilities.
6. Experience building or leveraging AI-driven tooling to improve incident response posture, applying frontier technology to workflows such as triage, investigation, correlation, or decision support.

Preferred Qualifications ----------------------

1. Demonstrated experience leading other responders through direct command during incidents and longer-term technical mentorship.
2. Strong bias for action and continuous improvement - uncomfortable with leaving with a shrug if things arent right.
3. Experience responding to incidents in highly distributed, cloud-scale environments, where blast radius and coordination complexity are significant.
4. Broad security domain knowledge, infrastructure, endpoint, product, identity, data, and the ability to reason across them during incidents.
5. Ability to script or code Python, Go, or similar to automate response tasks, prototype tooling, or close operational gaps.

Compensation ------------

For San Francisco, CA-based roles, the base salary range for this role is USD180,000 per year - USD200,000 per year.

For Seattle, WA-based roles, the base salary range for this role is USD180,000 per year - USD200,000 per year.

For Sunnyvale, CA-based roles, the base salary range for this role is USD180,000 per year - USD200,000 per year.

For all US locations, you will be eligible to participate in Ubers bonus program and may be offered an equity award & other types of compensation. You will also be eligible for various benefits. More details can be found at the following link: https://www.uber.com/careers/benefitshttps://www.uber.com/careers/benefits.

Ubers mission is to reimagine the way the world moves for the better. Bold ideas create real-world impact, challenges drive growth, and speed fuels progress. What moves us moves the world - lets move it forward together.

Uber is proud to be an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to sex, gender identity, sexual orientation, race, color, religion, national origin, disability, protected Veteran status, age, or any other characteristic protected by law. We also consider qualified applicants regardless of criminal histories consistent with legal requirements. If you have a disability or special need that requires accommodation, please let us know by completing this form: https://forms.gle/DWTk9k6xtMU25Y5A

Offices continue to be central to collaboration and Ubers cultural identity. Unless formally approved to work fully remotely, Uber expects employees to spend at least half of their work time in their assigned office. For certain roles, such as those based at green-light hubs, employees are expected to be in-office for 100% of their time. Please speak with your recruiter to better understand in-office expectations for this role.