TEAM OVERVIEW

KKR's Technology organization is a group of passionate technologists and product managers, unified by a shared mission to deliver exceptional products and solutions that drive value for our stakeholders, clients, and investors. Our passion for technology and innovation fuels our commitment to creating high-quality, impactful solutions that address complex challenges and meet the evolving needs of our sophisticated businesses.

Teamwork is at the core of the organization’s success. We thrive on open collaboration and continuous learning, driving a culture that values diversity of thought and collective achievement. Our global footprint enables us to integrate diverse perspectives into product and solution delivery, resulting in comprehensive, adaptable, and scalable solutions. We optimize for impact, prioritizing and delivering solutions with excellence while remaining agile in response to the evolving needs of our businesses.

POSITION OVERVIEW

We are seeking a Blue Team Lead to serve as KKR’s U.S. Regional Lead and escalation point for complex cyber incidents within the Threat Detection & Response (TD&R) function in our New York or Boston office. This is a senior incident response leadership role combining deep investigative expertise with ownership of incident command, containment strategy, stakeholder communication, and response readiness. This is an in-office position, 5 days per week.

KKR operates in a hybrid environment today; however, our operating model is increasingly cloud-first and identity-first, with growing focus on runtime and SaaS as primary investigative surfaces. This role will help shape how we respond in that future state - partnering closely with our MSSP, internal Computer Incident Response Team (CIRT), and engineering counterparts to drive faster, more consistent outcomes.

You will also be a key operational partner to the TDR SOC Engineer (SOC Engineering, Automation & Agentic Workflows) role. The Blue Team Lead defines the incident response requirements, validates that workflows and automation are usable under pressure, and ensures lessons learned translate into durable improvements across people, process, and technology.

RESPONSIBILITIES
Incident Leadership & Command (U.S. Regional Lead)

• Act as U.S. escalation lead / incident commander for high-severity incidents, owning response strategy, containment decisions, and coordination through resolution.
• Lead cross-functional response with internal CIRT, infrastructure/platform teams, cloud teams, identity teams, legal/compliance, and business stakeholders.
• Provide executive-ready briefings and situational updates during active incidents, clearly communicating risk, impact, tradeoffs, and next steps.
• Ensure post-incident reviews are completed and translated into measurable remediation and program improvements.

Advanced Investigations (Cloud/Identity/Runtime First; Hybrid Aware)

• Perform and lead advanced investigations across endpoint, network, identity, cloud control plane, SaaS, and (as needed) on-prem telemetry.
• Drive evidence collection and preservation strategies appropriate for hybrid environments, including cloud-native logging and ephemeral workload considerations.
• Develop investigative narratives: attacker objectives, sequence of actions, impacted assets, containment efficacy, and residual risk.

Readiness, Playbooks, and Exercising

• Own and continuously improve incident response playbooks (e.g., ransomware/extortion, BEC, cloud account compromise, token/key theft, data exfiltration, insider risk).
• Lead and coordinate exercises and simulations; ensure learnings become concrete improvements (process updates, training, tooling enhancements).
• Establish escalation criteria and decision frameworks (severity, containment triggers, business engagement, recovery prioritization).

AI-Enabled Response & Analyst Acceleration (Operational Owner)

• Operationalize AI-assisted workflows to improve incident execution (e.g., alert/case summarization, timeline generation, correlation support, case documentation), ensuring strong governance, auditability, and human-in-the-loop controls.
• Partner with SOC Engineering to define requirements and validate that automation/agentic workflows reduce toil and time-to-contain without increasing operational risk or noise.

Continuous Improvement, Threat-Informed Defense, and Partner Management

• Convert incident lessons-learned into durable improvements across enrichment, routing/prioritization, response plays, and coverage enhancements in partnership with SOC Engineering and ReliaQuest.
• Support threat hunting and purple-team efforts by shaping hypotheses and prioritizing validation based on real incident patterns and business risk (enablement and translation to controls - not primary hunt execution).
• Maintain strong operating rhythm with ReliaQuest and internal teams to ensure smooth escalations, clear responsibilities, and consistent response quality globally.

Metrics & Reporting

• Help define, track, and improve operational KPIs such as MTTR, MTTC, time-to-triage, containment SLA adherence, repeat-incident drivers, and quality of post-incident actions.
• Provide insight-driven reporting to TD&R leadership on trends, systemic issues, and targeted investments needed to raise response maturity.

QUALIFICATIONS

• 6+ years in Incident Response, Security Operations, or Blue Team roles, including leading high-severity incidents end-to-end.
• Proven ability to serve as an escalation lead and incident commander—calm, decisive leadership in ambiguous, high-pressure situations.
• Strong communication skills: able to translate complex technical details into clear, actionable updates for executives and stakeholders.
• Experience operating in cloud-forward enterprises, including hybrid environments spanning SaaS, cloud-native workloads, and on-prem systems.
• Strong familiarity with identity-centric security models and investigations (federated identity, IAM abuse patterns, token theft, conditional access signals).
• Working knowledge of cloud-native architectures (containers/Kubernetes, serverless, CI/CD) and the investigative/containment challenges they introduce.
• Experience partnering with MSSPs and distributed teams; comfortable operating in a hybrid SOC model (internal + ReliaQuest).
• Familiarity with MITRE ATT&CK and applying it to investigative thinking, readiness planning, and validation priorities.
• Experience designing, using, or validating automated response workflows (SOAR) and promoting safe automation patterns.
• Exposure to AI-assisted SOC/IR tooling, including governance considerations (data handling, audit logging, human approval, evaluation).
• Experience with purple teaming, detection validation, or adversary simulation platforms (e.g., Atomic Red Team, Caldera, Cymulate). (Preferred)
• Ability to influence engineering roadmaps (telemetry, enrichment, workflow improvements) based on operational pain points and incident learnings. (Preferred)

IDEAL CANDIDATE PROFILE

• Incident leader: takes ownership, drives clarity, and brings structure to high-severity response.
• Technically deep and business-aware: understands attacker behavior and business impact equally well.
• Operationally disciplined: strong instincts for repeatability, playbooks, and learning loops.
• Collaborative and influential: can align MSSP + internal teams, and partner effectively with SOC Engineering and platform teams.
• Future-oriented: comfortable modernizing response for cloud-first and AI-enabled operating models.

WHY JOIN US?
This is a pivotal leadership role in a globally scaled Threat Detection & Response function at a leading investment firm. As U.S. Regional Lead, you will shape incident response outcomes for critical enterprise operations and directly influence how KKR modernizes response for a cloud-first, AI-enabled future. You’ll partner with a high-performing MSSP and an engineering-driven TDR team to improve readiness, accelerate containment, and raise the bar on response quality across the organization.