Threat Detection & Response - Blue Team Lead

TEAM OVERVIEW

KKR's Technology organization is a group of passionate technologists and product managers, unified by a shared mission to deliver exceptional products and solutions that drive value for our stakeholders, clients, and investors. Our passion for technology and innovation fuels our commitment to creating high-quality, impactful solutions that address complex challenges and meet the evolving needs of our sophisticated businesses.

Teamwork is at the core of the organization’s success.  We thrive on open collaboration and continuous learning, driving a culture that values diversity of thought and collective achievement.  Our global footprint enables us to integrate diverse perspectives into product and solution delivery, resulting in comprehensive, adaptable, and scalable solutions. We optimize for impact, prioritizing and delivering solutions with excellence while remaining agile in response to the evolving needs of our businesses.

POSITION OVERVIEW

We are seeking a Blue Team Lead to serve as KKR’s U.S. Regional Lead and escalation point for complex cyber incidents within the Threat Detection & Response (TD&R) function in our New York or Boston office. This is a senior incident response leadership role combining deep investigative expertise with ownership of incident command, containment strategy, stakeholder communication, and response readiness. This is an in-office position, 5 days per week.

KKR operates in a hybrid environment today; however, our operating model is increasingly cloud-first and identity-first, with growing focus on runtime and SaaS as primary investigative surfaces. This role will help shape how we respond in that future state - partnering closely with our MSSP, internal Computer Incident Response Team (CIRT), and engineering counterparts to drive faster, more consistent outcomes.

You will also be a key operational partner to the TDR SOC Engineer (SOC Engineering, Automation & Agentic Workflows) role. The Blue Team Lead defines the incident response requirements, validates that workflows and automation are usable under pressure, and ensures lessons learned translate into durable improvements across people, process, and technology.

RESPONSIBILITIES
Incident Leadership & Command (U.S. Regional Lead)

• Act as U.S. escalation lead / incident commander for high-severity incidents, owning response strategy, containment decisions, and coordination through resolution.
• Lead cross-functional response with internal CIRT, infrastructure/platform teams, cloud teams, identity teams, legal/compliance, and business stakeholders.
• Provide executive-ready briefings and situational updates during active incidents, clearly communicating risk, impact, tradeoffs, and next steps.
• Ensure post-incident reviews are completed and translated into measurable remediation and program improvements.

Advanced Investigations (Cloud/Identity/Runtime First; Hybrid Aware)

• Perform and lead advanced investigations across endpoint, network, identity, cloud control plane, SaaS, and (as needed) on-prem telemetry.
• Drive evidence collection and preservation strategies appropriate for hybrid environments, including cloud-native logging and ephemeral workload considerations.
• Develop investigative narratives: attacker objectives, sequence of actions, impacted assets, containment efficacy, and residual risk.

Readiness, Playbooks, and Exercising

• Own and continuously improve incident response playbooks (e.g., ransomware/extortion, BEC, cloud account compromise, token/key theft, data exfilt