Detection and Response Manager

The Detection and Response Manager will build, lead, and continuously mature the Detection and Response Team, serving as Tier 3 support for Con Edisons IT and OT Cybersecurity Operations Center (CSOC). This role is responsible for advanced threat detection, incident escalation, and enterprise wide incident response. Reporting to the Director of Cybersecurity Operations, the manager will establish a new team that functions as the primary escalation path for the CSOC, advances detection engineering maturity, and conducts proactive threat hunting across the enterprise. The role also influences front line CSOC effectiveness by delivering validated detections, well defined playbooks, and targeted training to ensure consistent and confident execution. This position partners closely with Security Engineering, the CSOC, Offensive Security, Corporate Security, and the ETS team to strengthen and evolve how threats are identified and responded to across the organization. As Con Edison continues to invest in technologies such as cloud platforms, containers, AI, and OT environments, the scope of this role includes maturing detection and response capabilities across both existing and emerging technologies. This includes enhancing incident response processes and expanding SIEM and SOAR use cases to support business growth and resilience. The Detection and Response Manager ensures the development of repeatable procedures, validation of detections through realistic scenarios, effective training of stakeholder teams, and seamless transitions of new capabilities to the CSOC. The ultimate objective is to strengthen Tier 1 and Tier 2 operations, enabling faster response times, higher confidence, and improved security outcomes. Required Education/Experience * Bachelor's Degree and 8 years of relevant work experience or * Master's Degree and 6 years of relevant work experience. Preferred Education/Experience * Master's Degree Majors preferred in IT, computer science, business administration, engineering or decision sciences including mathematics, analytics, quantitative methods. and 6 years of relevant work experience. Relevant Work Experience * Leadership experience in cybersecurity operations, detection engineering, or incident response, including building and maturing teams, required. * Hands-on experience designing, tuning, and validating detections across diverse data sources, with a track record of reducing false positives, required. * Deep hands-on experience with SIEM and SOAR platforms, including building correlation logic, case workflows, and automation playbooks, required. * Demonstrated experience leading hypothesis-driven threat hunts and converting findings into durable detections, required. * Experience operating in or alongside cloud security (AWS, GCP, Azure, or OCI) required. * Exposure to OT environments and a willingness to develop OT depth, including OT risk, telemetry, and operational constraints, required. * Experience developing and operationalizing playbooks, procedures, and training material, required. * Experience validating detections through tabletop exercises, purple team testing, and controlled scenarios, required. * Track record of improving operational metrics (MTTD, MTTR, false positive reduction), required. * Direct experience in OT or critical infrastructure environments preferred. * Experience partnering with offensive security or threat intelligence teams to translate findings into detections and response improvements preferred. * Experience evaluating and deploying AI-driven security tooling in a production environment preferred. * Strong working knowledge of MITRE ATT&CK, used to map detections, hunts, and coverage gaps, preferred. * Strong stakeholder management across security, engineering, and business teams, preferred. Skills and Abilities * Effective leadership skills * Demonstrated problem solving skills * Demonstrated written communication skills Licenses and Certifications * Driver's License Required * Project Management Professional (PMP) Training and/or certification in Project Management is a plus. Preferred * Other: Cybersecurity certifications such as CISSP, CISM, GCFA, GCIA, or GCFE Preferred Physical Demands * Sit or stand to answer a phone for the duration of the workday * Sit or stand to use a keyboard, mouse, and computer for the duration of the workday * Ability to read small print and symbols Additional Physical Demands * The selected candidate will be assigned a System Emergency Assignment (i.e., an emergency response role) and will be expected to work non-business hours during emergencies, which may include nights, weekends, and holidays. * Must be able and willing to travel within Company service territory, as needed. Core Responsibilities * Build and lead the Detection and Response Team. * Operate as the escalation path for high complexity alerts, suspected incidents and root cause investigations, supporting both IT and OT CSOC workflows. * Improve the end-to-end response lifecycle, including alert triage, investigation, containment, remediation coordination, lessons learned and documentation. * Partner with Security Engineering to develop and mature detection use cases, including tuning detections for low false positives and high signal quality. * Lead continuous threat hunting by regularly scanning telemetry and investigation outputs to find stealthy attacker behavior and emerging patterns across IT and OT. * Lead campaign-based threat hunting by defining hypotheses, objectives and success criteria with stakeholders, then running time bound hunts aligned to risk, new threats and specific business systems. * Identify opportunities across the business where cybersecurity requirements were not implemented, were not consistently enforced, or were misaligned to risk and work with stakeholders to close those gaps. * Collaborate with Offensive Security and threat intelligence stakeholders to incorporate new findings into detections, detections engineering and response improvements. * Own the end to end lifecycle and continuous improvement of SIEM and SOAR use cases, spanning alert enrichment, case management, automated response actions, and orchestration. * Develop and improve incident response processes, including playbook development, scenario testing, tabletop exercises and after-action reviews. * Guide capability transitions to the CSOC by ensuring detections and response procedures are documented, trained, tested and ready for steady state operations. * Establish measurable performance targets and an operating rhythm, including metrics such as mean time to detect, mean time to respond, investigation throughput, false positive rates and impact from tuning or automation. * Evaluate, pilot, and operationalize AI-driven detection and response tools and technology (e.g., anomaly detection, alert summarization/enrichment, and automated triage) to reduce false positives and accelerate MTTD/MTTR.