JOB DESCRIPTION

Joining Amex Tech means discovering and shaping your contribution to something big. Here, you can work alongside talented tech teams and build a unique career with the Powerful Backing of American Express. With a range of opportunities to work with the latest technologies, and a commitment to back the broader engineering community through open source, our mission is to power your success. Because Amex Tech is powered by our technology, our culture, and our colleagues.

The Technology organization enables and accelerates the company’s growth strategies, delivering global capabilities and services in support of Amex’s customers and colleagues, while maintaining 24/7 servicing and availability to ensure an uninterrupted, high-quality customer experience. Technology provides the foundation for everything we do in the company while driving differentiation through building and leveraging innovative technology and data insights.

At American Express, our mission is to deliver the world’s best customer experience every day. At the heart of this mission is our Information Security organization, enabling exceptional experiences built on a foundation of trust, service, and security. We leverage advanced technologies and data-driven insights to stay ahead of an evolving threat landscape. We foster a culture of passion, curiosity, and courage-empowering you to innovate, grow, and help shape the future of a Fortune 100 company.

Trust. Service. Security.

American Express is seeking a highly experienced and driven Senior Manager to lead its Incident Response team on the night shift (3:00 PM - 11:00 PM PHX). This senior leadership role demands a balance of strong people leadership and deep technical expertise across the full incident response lifecycle-from preparedness and active investigations to post-incident review.

As the primary escalation point for the night shift, you will serve as the most senior technical authority, guiding complex investigations, conducting in-depth analysis, identifying attacker tactics, techniques, and procedures (TTPs), and developing comprehensive attack narratives. You will lead and coordinate response actions while ensuring alignment with enterprise security objectives.

This role requires a proactive leader who can strengthen team capabilities across people, process, and technology, enabling the investigation and mitigation of sophisticated threats. Success in this position depends on critical thinking, sound judgment, innovative problem-solving, and clear, effective communication across both technical and executive audiences.

RESPONSIBILITIES

• Lead and develop the night shift Incident Response team, fostering a high-performance culture focused on accountability, collaboration, and continuous improvement.
• Serve as the primary escalation point and senior decision-maker for complex security incidents during the shift.
• Lead and oversee incident response activities, including host and network forensics, log analysis, and malware triage across Windows, macOS, Linux, and cloud environments.
• Direct incident investigations end-to-end, ensuring accurate scoping, identification of affected systems/accounts, and timely containment, eradication, and recovery actions.
• Recognize and analyze attacker tactics, techniques, and procedures (TTPs), as well as Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), applying insights to active and future investigations.
• Provide expert guidance to leadership and stakeholders during incident response and crisis management situations.
• Drive continuous improvement of incident response processes, tools, and capabilities through active contribution to team initiatives and strategic projects.
• Build and sustain a world-class security operations capability with a strong emphasis on innovation, scalability, and operational excellence.
• Define and implement incident response best practices to advance the maturity of the organization’s overall security posture.
• Deliver actionable recommendations to enhance enterprise risk posture based on threat intelligence, research, and technical expertise.
• Stay current on evolving threat landscapes, attack methodologies, and defensive technologies to ensure organizational readiness.
• Produce clear, concise, and high-quality written and verbal communications for both technical and executive audiences.
• Participate in an on-call rotation and provide after-hours support as needed.

QUALIFICATIONS

• 1-3 years of experience in information security.
• Experience with host, network, and/or memory forensics
• Experience with various network and/or host-based security tools to detect and respond to security events. (e.g. SIEM, web proxy, intrusion detection/prevention, etc.)
• Theoretical and practical security knowledge and investigation experience with Mac, Linux, and Windows operating systems, as well as cloud environments.
• Theoretical and practical knowledge of Incident Response lifecycles
• Ability to convey complex technical concepts to audiences with varying levels of technical ability

PREFERRED QUALIFICATIONS

• Excellent analytical, documentation, and communication skills.
• Multiple applicable certifications (GSE, GDAT, GCIA, GCIH, GCFA, GNFA, GCFE, GREM, CCSP, CEH, CCISP)
• Knowledge and investigation experience in a global, multi-cloud environment.
• Experience in programming and/or scripting languages (Python, PowerShell, Go, etc.)

Employment eligibility to work with American Express in the United States is required as the company will not pursue visa sponsorship for these positions.