Cybersecurity Incident Commander

at SoFi

CA - San Francisco, WA - Seattle

Who we are:

Shape a brighter financial future with us.

Together with our members, we’re changing the way people think about and interact with personal finance.

We’re a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world.

The Role:

We are seeking a Cybersecurity Incident Commander to join SoFi’s Cyber Defense program and lead incident command efforts across the organization. This role will serve as a central driver for security incident response, ensuring effective management of day-to-day incidents as well as large-scale, high-impact cybersecurity events.

The SOC team is responsible for monitoring, analyzing, and responding to security events across SoFi’s infrastructure and applications. As a dedicated incident response resource within Cyber Defense, you will coordinate cross-functional response efforts, maintain incident command structure during active events, and ensure consistent communication, documentation, and resolution tracking.

This is a highly visible role that partners closely with SOC Analysts, Threat Research, Offensive Security, Tools Automation & Operations (TAO), Engineering, IT, Legal, Risk, Executive team, and other stakeholders to drive timely containment, eradication, and recovery. The ideal candidate thrives in fast-paced environments, brings structure to ambiguity, has exceptional communication skills, and can effectively drive complex incidents from detection through post-incident review.

What You’ll Do:

Serve as the primary Security Incident Commander for security incidents identified by the SOC.
Lead and manage the end-to-end lifecycle of security incidents, including triage validation, containment, eradication, recovery, and closure.
Establish and maintain incident command during high-severity or large-scale incidents.
Drive cross-functional collaboration and decision making across technical and business teams to ensure timely and effective response.
Facilitate incident communication, coordinate response resources, and maintain clear situational awareness for all engaged.
Ensure consistent documentation of incident timelines, impact assessments, decisions, evidence chain of custody, and actions taken.
Develop and maintain incident severity classifications and escalation criteria that are aligned with organizational and business needs and expectations.
Provide executive-ready status updates and summaries during major incidents.
Coordinate post-incident reviews, including root cause analysis, lessons learned, and tracking of remediation actions.
Identify and facilitate opportunities to improve incident response processes, playbooks, and communication workflows.
Partner with SOC leadership to enhance incident metrics, reporting, and operational maturity.
Organize and participate in tabletop exercises, simulations, and readiness activities to improve Cyber Defense and SOC response capabilities.

What You’ll Need:

3–7+ years of experience in cybersecurity operations, incident response, or SOC environments.
Direct experience coordinating or leading security incident response efforts in enterprise environments.
Strong understanding of the incident response lifecycle and frameworks (e.g., NIST 800-61).
Experience handling high-severity incidents such as ransomware, business email compromise, insider threats, cloud compromise, or data exfiltration events.
Ability to interpret technical findings and translate them into clear, actionable updates for both technical and non-technical stakeholders.
Excellent written and verbal communication skills, especially in high-pressure situations.
Strong organizational skills with the ability to manage multiple concurrent incidents.
Experience facilitating cross-functional communication across various media channels and driving accountability during live incidents.
Ability to operate independently while collaborating effectively across distributed teams.

Nice to Have:

Experience in a formal CSIRT or Incident Commander role.
Working knowledge of security technologies such as SIEM, EDR, email security, IAM, cloud security controls, and network monitoring tools.
Knowledge of regulatory and compliance considerations (e.g., financial services, PCI, SOX, GLBA).
Experience directing or conducting digital forensics or deep technical investigations.
Familiarity with cloud-native security incident response (AWS, GCP, or Azure).
Exposure to MITRE ATT&CK framework and threat intelligence integration.
Relevant certifications such as GCIA, GCIH, GCED, CISSP, CISM, or similar.
Experience developing or maintaining incident response playbooks and runbooks.

Compensation and Benefits

The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location.

To view all of our comprehensive and competitive benefits, visit our Benefits at SoFi page!

SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.

The Company hires the best qualified candidate for the job, without regard to protected characteristics.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

New York applicants: Notice of Employee Rights

SoFi is committed to an inclusive culture. As part of this commitment, SoFi offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email accommodations@sofi.com.

Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.

Internal Employees

If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.