Skip to content
Senior Manager – Csirt
| Company | TD Bank |
|---|
| Location | Toronto, ON, Canada |
|---|
| Salary | $108800 – $163200 |
|---|
| Type | Full-Time |
|---|
| Degrees | |
|---|
| Experience Level | Senior, Expert or higher |
|---|
Requirements
- 8-12+ years in a blue team/red team technical function, with a strong focus on incident response and technical threat operations.
- 3+ years in a leadership role within CSIRT, CSOC L3, or equivalent tactical incident response team.
- Incident triage and attacker behavior investigation across logs, EDR/XDR, and SIEMs; with domain experience in investigating events and attacks in: endpoints, servers, networks, data stores, and cloud environments.
- Experience with Microsoft Defender, CrowdStrike Falcon, and Microsoft XDR stack.
- Strong understanding of SIEM and data workflows (e.g. Splunk, Sentinel, and LogScale).
- Automation and scripting (Python, PowerShell, Bash).
- Extensive familiarity with attack chains, behavior mapping, and detection engineering (MITRE ATT&CK).
- Use of SOAR tools to drive playbook orchestration for enhancement, enrichment, classification, decisioning, and kinetic actions.
Responsibilities
- Guide the CSIRT through detection, isolation, and containment from cyber events and incidents, including malware campaigns, targeted attacks, insider misuse, and credential abuse.
- Act as the technical leadership pivot between CSOC, Attack Surface Reduction, Cyber Threat Detection, and other Cyber Threat Management functions. Ensuring that investigations are cohesive, fast-moving, and thorough.
- Own the technical execution of incidents from triage to containment. Maintain high standards for process, procedures, documentation, root cause analysis, control improvement opportunities, and lessons learned.
- Work with engineering teams to tune EDR/XDR, enrich telemetry, and improve signal fidelity in tools including Microsoft XDR, CrowdStrike Falcon, and Defender for Endpoint.
- As Product Owner own and evolve CSIRT response playbooks within SOAR tools. Driving automation is a foundational imperative for decision support, enrichment, isolation, and containment where appropriate.
- Mentor team members in modern attack investigation, detection, and response techniques – cloud, identity, network, endpoint, data, and lateral movement patterns and TTPs. Build team readiness through tabletop, scenario-based exercises, and active capability assessments to ensure skills are assimilated and can be applied dynamically during active attacks and incident response.
- Define and drive the 3-year capability roadmap for CSIRT, aligning with enterprise threat priorities, evolving adversary tradecraft, and regulatory expectations. Translate strategy into operational plans, maturity goals, and resourcing models. Maintain visibility on key risks and control gaps related to response readiness, ensuring they are actively tracked, escalated, and addressed in partnership with 1B, second line and audit stakeholders.
Preferred Qualifications
- GIAC (GCIH, GCIA, GDAT) or equivalent hands-on IR expertise.
