Lead Security Analyst - Cloud & Endpoint Incident Response
1150868
About the role
The Lead Security Analyst is a senior, hands-on role within Security Operations focused on cloud-centric incident response with a primary emphasis on AWS, while also leading complex investigations across endpoint, identity, and SaaS environments. This role is for an experienced investigator who operates confidently in high-impact incidents, owns response end-to-end, and improves how security incidents are detected, investigated, and contained at scale. This is not simply an alert-triage role; it is a senior investigative and technical leadership position.
What you’ll do
Threat awareness & rapid assessment
Track emerging threats (active exploitation, 0-days, vendor advisories, high-risk CVEs) and quickly assess relevance to our AWS environment and endpoints.
Triage external and internal inputs (customer-reported issues, bug bounty reports, security research, escalations) and drive them through validation, investigation, and mitigation when risk is confirmed.
Translate threat intelligence into practical actions: containment guidance, detection updates, and prioritized remediation.
Incident response & investigation
Lead and execute high-severity security incidents across AWS, endpoints, identity, and SaaS environments.
Drive incidents from initial signal through scoping, containment, eradication, recovery, and post-incident review.
Reconstruct attacker activity by correlating AWS and endpoint evidence to determine initial access, persistence, privilege escalation, lateral movement, and impact.
Produce clear incident documentation (timelines, findings, evidence, and actionable recommendations) for both technical and non-technical stakeholders.
AWS incident response
Investigate AWS incidents including IAM abuse, credential compromise, control-plane attacks, persistence mechanisms, and lateral movement.
Use AWS telemetry to scope and confirm activity, including CloudTrail, CloudWatch Logs, VPC Flow Logs, IAM, and GuardDuty.
Lead investigations involving common AWS compromise patterns
Execute containment actions across cloud surfaces, including credential/session revocation, policy/role changes, resource quarantine, and access tightening, balancing speed with service impact.
Identify visibility and telemetry gaps and work with engineering teams to close them (logging coverage, retention, alerting, access model for incident response).
Detection, automation & readiness
Improve detection coverage across AWS and endpoint environments by validating detections against real-world attack scenarios and incident learnings.
Partner with detection engineering to test and deploy new detections, tune noisy detections, and strengthen investigation context.
Build and maintain investigation and response automation using SOAR tools and scripting.
Develop and evolve AWS and endpoint incident response playbooks and ensure they’re usable under pressure.
Engineering partnership & remediation ownership
Partner with Engineering, SRE, and IT to implement mitigations, including infrastructure configuration changes and application-level fixes when needed.
Track corrective actions to completion and ensure incident learnings translate into durable prevention (not just documentation).
Required experience
Strong understanding of software engineering fundamentals, including code structure, build systems, dependencies, and package ecosystems—enabling effective partnership with Engineering teams.
Understanding of CI/CD pipelines and DevOps workflows, enabling collaboration with Infrastructure and DevOps teams.
Solid knowledge of cloud architecture, especially Amazon Web Services (AWS) services used in modern cloud-native deployments.
Hands-on experience responding to AWS security incidents, including investigation and containment actions.
Familiarity with SaaS architectures, identity systems, and integration patterns for effective collaboration with Cloud Security teams.
Proven experience leading complex security incidents across cloud and endpoint environments.
Strong understanding of identity and access concepts (IAM roles, federation, OAuth, privilege escalation patterns).
Experience using a SIEM for investigations and detection development (Splunk preferred).
Comfortable scripting or automating in Python to accelerate investigations and response workflows.
Strong Linux investigation skills; solid working knowledge of macOS and Windows.
Preferred experience
Experience operating in multi-account AWS environments and building practical IR workflows for scale (centralized logging, access patterns, guardrails).
Familiarity with AWS security services beyond core telemetry (e.g., Security Hub, Detective, Config, Macie).
Familiarity with Kubernetes, containers, serverless infrastructure, or modern distributed systems.
SOAR experience building reliable, auditable automations and response workflows.
What we value
Calm, structured decision-making under pressure
Speed with evidence-based rigor
Ownership and follow-through on remediation
Strong cross-functional collaboration with engineering teams
An automation and continuous-improvement mindset
Pay & Benefits
The cash compensation below includes base salary, on-target commission for employees in eligible roles, and annual bonus targets under HubSpot’s bonus plan for eligible roles. In addition to cash compensation, some roles are eligible to participate in HubSpot’s equity plan to receive restricted stock units (RSUs). Some roles may also be eligible for overtime pay. Individual compensation packages are tailored to your skills, experience, qualifications, and other job-related reasons.
This resource will help guide how we recommend thinking about the range you see. Learn more about HubSpot’s compensation philosophy.
Benefits are also an important piece of your total compensation package. Explore the benefits and perks HubSpot offers to help employees grow better.
At HubSpot, fair compensation practices aren’t just about checking off the box for legal compliance. It’s about living out our value of transparency with our employees, candidates, and community.
Annual Cash Compensation Range:
$130,800—$209,300 USD
About the job
Apply for this position
Lead Security Analyst - Cloud & Endpoint Incident Response
1150868
About the role
The Lead Security Analyst is a senior, hands-on role within Security Operations focused on cloud-centric incident response with a primary emphasis on AWS, while also leading complex investigations across endpoint, identity, and SaaS environments. This role is for an experienced investigator who operates confidently in high-impact incidents, owns response end-to-end, and improves how security incidents are detected, investigated, and contained at scale. This is not simply an alert-triage role; it is a senior investigative and technical leadership position.
What you’ll do
Threat awareness & rapid assessment
Track emerging threats (active exploitation, 0-days, vendor advisories, high-risk CVEs) and quickly assess relevance to our AWS environment and endpoints.
Triage external and internal inputs (customer-reported issues, bug bounty reports, security research, escalations) and drive them through validation, investigation, and mitigation when risk is confirmed.
Translate threat intelligence into practical actions: containment guidance, detection updates, and prioritized remediation.
Incident response & investigation
Lead and execute high-severity security incidents across AWS, endpoints, identity, and SaaS environments.
Drive incidents from initial signal through scoping, containment, eradication, recovery, and post-incident review.
Reconstruct attacker activity by correlating AWS and endpoint evidence to determine initial access, persistence, privilege escalation, lateral movement, and impact.
Produce clear incident documentation (timelines, findings, evidence, and actionable recommendations) for both technical and non-technical stakeholders.
AWS incident response
Investigate AWS incidents including IAM abuse, credential compromise, control-plane attacks, persistence mechanisms, and lateral movement.
Use AWS telemetry to scope and confirm activity, including CloudTrail, CloudWatch Logs, VPC Flow Logs, IAM, and GuardDuty.
Lead investigations involving common AWS compromise patterns
Execute containment actions across cloud surfaces, including credential/session revocation, policy/role changes, resource quarantine, and access tightening, balancing speed with service impact.
Identify visibility and telemetry gaps and work with engineering teams to close them (logging coverage, retention, alerting, access model for incident response).
Detection, automation & readiness
Improve detection coverage across AWS and endpoint environments by validating detections against real-world attack scenarios and incident learnings.
Partner with detection engineering to test and deploy new detections, tune noisy detections, and strengthen investigation context.
Build and maintain investigation and response automation using SOAR tools and scripting.
Develop and evolve AWS and endpoint incident response playbooks and ensure they’re usable under pressure.
Engineering partnership & remediation ownership
Partner with Engineering, SRE, and IT to implement mitigations, including infrastructure configuration changes and application-level fixes when needed.
Track corrective actions to completion and ensure incident learnings translate into durable prevention (not just documentation).
Required experience
Strong understanding of software engineering fundamentals, including code structure, build systems, dependencies, and package ecosystems—enabling effective partnership with Engineering teams.
Understanding of CI/CD pipelines and DevOps workflows, enabling collaboration with Infrastructure and DevOps teams.
Solid knowledge of cloud architecture, especially Amazon Web Services (AWS) services used in modern cloud-native deployments.
Hands-on experience responding to AWS security incidents, including investigation and containment actions.
Familiarity with SaaS architectures, identity systems, and integration patterns for effective collaboration with Cloud Security teams.
Proven experience leading complex security incidents across cloud and endpoint environments.
Strong understanding of identity and access concepts (IAM roles, federation, OAuth, privilege escalation patterns).
Experience using a SIEM for investigations and detection development (Splunk preferred).
Comfortable scripting or automating in Python to accelerate investigations and response workflows.
Strong Linux investigation skills; solid working knowledge of macOS and Windows.
Preferred experience
Experience operating in multi-account AWS environments and building practical IR workflows for scale (centralized logging, access patterns, guardrails).
Familiarity with AWS security services beyond core telemetry (e.g., Security Hub, Detective, Config, Macie).
Familiarity with Kubernetes, containers, serverless infrastructure, or modern distributed systems.
SOAR experience building reliable, auditable automations and response workflows.
What we value
Calm, structured decision-making under pressure
Speed with evidence-based rigor
Ownership and follow-through on remediation
Strong cross-functional collaboration with engineering teams
An automation and continuous-improvement mindset
Pay & Benefits
The cash compensation below includes base salary, on-target commission for employees in eligible roles, and annual bonus targets under HubSpot’s bonus plan for eligible roles. In addition to cash compensation, some roles are eligible to participate in HubSpot’s equity plan to receive restricted stock units (RSUs). Some roles may also be eligible for overtime pay. Individual compensation packages are tailored to your skills, experience, qualifications, and other job-related reasons.
This resource will help guide how we recommend thinking about the range you see. Learn more about HubSpot’s compensation philosophy.
Benefits are also an important piece of your total compensation package. Explore the benefits and perks HubSpot offers to help employees grow better.
At HubSpot, fair compensation practices aren’t just about checking off the box for legal compliance. It’s about living out our value of transparency with our employees, candidates, and community.
Annual Cash Compensation Range:
$130,800—$209,300 USD