Threat Response Technology and Capabilities Product Owner

Our Purpose

Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re helping build a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.

Title and Summary

Threat Response Technology and Capabilities Product Owner

Overview

The Corporate Security Threat and Response Management product ownership team is looking for a Lead Security Engineer to help drive our Security Operations modernization strategy. The ideal candidate is passionate about the modern security tools, capabilities, and strategies.

As a Product Owner, you will be defining, owning, and driving the incident response technology and capability strategy across global Security Operations. This role sets the vision for response tooling, automation, AI augmentation, and digital evidence workflows used by regional Security Operations Center (SOC), Digital Forensics Investigation Response (DFIR), and Threat Response teams.

The Product Owner is accountable for the end-to-end RESPOND product lifecycle: strategy, roadmap, requirements, build oversight, adoption, and measurable operational outcomes. This is a lead-level, hands-on product leadership role for a practitioner operating at the bleeding edge of SOC 3.0: AI-assisted triage, agentic response, notebook-driven investigation, and engineering-led operations. The successful candidate is equal parts DFIR practitioner, SOAR architect, SOC AI-augmentation strategist, and product leader.

The Role

• Own and execute the multi-year strategy and roadmap for evolving and scaling incident response capabilities, tooling, automation, and AI augmentation across Security Operations’ function.
• Define and maintain the RESPOND capability taxonomy, mapped to NIST CSF (Respond/Recover), NIST SP 800-61r3, MITRE ATT&CK, and D3FEND.
• Set roadmap and strategy for SOAR platforms (Splunk SOAR, Microsoft Sentinel SOAR/Logic Apps), case management, evidence collection, and response orchestration.
• Define and oversee SOAR playbook automation builds, documentation, and execution
• Define the AI augmentation incident response strategy for security operations: agentic AI workflows, LLM-assisted triage, prompt libraries, notebook-based investigation, and human-in-the-loop autonomous response patterns.
• Establish governance, guardrails, and auditability for AI-assisted and AI-autonomous response actions in support of regulatory frameworks and audits.
• Define requirements and oversee build-out of automation pipelines, playbooks, response actions, enrichment services, promptbook-based investigation notebooks, and analyst-facing tooling.
• Establish and maintain centralized libraries of response tools, scripts, prompt books, notebooks, and live-response packages deployable via EDR, SOAR, and endpoint management platforms.
• Drive incident response tooling and integration strategy across EDR, XDR, SIEM, identity, cloud, network, ticketing, and AI platforms to enable closed-loop response.
• Partner closely with the detection product team to ensure detections produce response-ready, automatable, and AI-consumable outputs.
• Define KPIs and OKRs for response product effectiveness: MTTR, automation coverage, AI-assist coverage, analyst toil reduction, containment time, evidence completeness.
• Manage vendor relationships, evaluations, POCs, and procurement for response and AI tooling.
• Govern the RESPOND backlog, prioritize work for embedded product team members, and run agile delivery cadence.
• Represent RESPOND capabilities to executive leadership, audit, and regulators.

All about you

• Extensive in-depth heads-on experience in security operations, incident response, digital forensics, automation engineering, or security engineering, with at least 3 years in a product, architecture, or capability ownership role.
• Deep, hands-on expertise with SOAR tools, including playbook development, integration into Agentic AI tools, integration into case management, custom app/connector creation, and platform administration.
• Proven enterprise-scale experience designing and operationalizing AI augmentation in security operations, including:
o Agentic AI workflows for triage, enrichment, scoping, or response.
o Prompt engineering and maintained prompt book libraries for analyst use.
o Jupyter notebook-driven investigation and DFIR workflows.
o LLM integration into SOAR, case management, or analyst tooling.
• Demonstrated track record shipping AI-augmented incident response capabilities in a large enterprise.
• Working knowledge of MCP server architectures and emerging agentic frameworks for SOC use cases.
• Deep expertise across the full IR lifecycle: triage, scoping, containment, eradication, recovery, evidence handling, post-incident review.
• Strong DFIR background covering endpoint, network, cloud (AWS, Azure, GCP), identity, and SaaS forensics.
• Working proficiency in Python and PowerShell. Comfort reviewing and directing code without being the primary developer.
• Experience with EDR live response capabilities and custom tool/scripting execution capabilities.
• Fluency in modern SOC architecture concepts: tiered case management, detection-as-code, response-as-code, autonomous response patterns, and the regulatory implications of each.
• Deep understanding and experience executing on SOC evolution and modernization across SOC maturity models (2.0 and 3.0).

Preferred Qualifications

• Deep expertise in digital forensics, threat hunting concepts, and security engineering is a must.
• Prior experience standing up or modernizing a SOAR or AI-augmented response program from the ground up would be required.
• Bachelor’s degree in Computer science, Cybersecurity, or IT-focused disciplines (or equivalent experience) would be preferred.
• Security Operations experience in regulated financial services enterprise environments will be ideal.
• Familiarity with mobile device evidence collection, ephemeral messaging archiving, and cloud forensic acquisition a plus.
• Experience defining auditability and evidentiary standards for AI-assisted decisions in a regulated SOC.
• Industry certifications: GCFA, GCIH, GNFA, GCFR, GREM, or equivalent.

Corporate Security Responsibility

All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and, therefore, it is expected that every person working for, or on behalf of, Mastercard is responsible for information security and must:

• Abide by Mastercard’s security policies and practices;

• Ensure the confidentiality and integrity of the information being accessed;

• Report any suspected information security violation or breach, and

• Complete all periodic mandatory security trainings in accordance with Mastercard’s guidelines.