Job Title
Senior Incident Responder - Cybersecurity

Job Description
As a Senior Incident Responder, you will join Sage's Global Cyber Defence Operations team and take direct ownership of high-severity security incidents impacting Sage's systems, data, and customers.

This role is requires experienced incident responders who have already operated beyond SOC or alert triage and have senior experience operating in live, high-pressure security incidents leading complex investigations in real time, where information is incomplete and decisions must be made quickly and containment must be managed across multiple technical teams.

You will own escalated incidents end-to-end - from initial scoping of escalation through investigation, containment strategy, remediation coordination, and root-cause analysis - across Sage's primarily cloud-based environment. These incidents span cloud, identity, application, and endpoint telemetry, often requiring you to work across multiple systems and teams to reach resolution.

In addition to incident response, you will contribute to threat hunting, detection improvement, and evolving how Sage detects and responds to attacks at scale.

Location & Hybrid Requirement:
3 days per week from our Vancouver or Toronto office (see working hours below)

Required Work Schedule:
• Monday-Friday, 8:00am-4:00pm PST or 11:00am-7:00pm EST
• Occasional adjusted hours, 6:00am-2:00pm PST, to support UK colleagues during planned PTO
• Participation in a shared on-call rotation, approximately one weekend per month

Minimum Qualifications
• 5+ years of hands-on experience in cybersecurity incident response, including direct involvement in high-severity incident response preferably within a CIRT, CSIRT, MDR, DFIR, cyber defence, or mature security operations environment
• Proven experience acting as the primary owner of escalated, high-severity security incidents after SOC triage, with accountability for investigation, containment strategy, remediation coordination, root-cause determination, and post-incident review
• Experience operating during live security incidents where information is incomplete, requiring investigative direction and containment decisions based on evolving evidence
• Strong proficiency using SIEM and EDR platforms to investigate large volumes of security telemetry
• Hands-on experience investigating security incidents in cloud environments (Azure and/or AWS), including identity compromise, control plane activity, and misuse of cloud services
• Experience investigating incidents across multiple telemetry sources (e.g. SIEM, EDR, cloud-native logs, identity systems, application and service logs) and adapting to unfamiliar data structures and log formats
• Experience conducting forensic investigations to determine root cause and reconstruct attacker activity
• Experience performing threat hunting and developing or tuning detection logic
• Working knowledge of cyber threat intelligence, including attacker tactics, techniques, and procedures (TTPs), and applying intelligence to investigations
• Experience working cross-functionally with Engineering, IT, Cloud Operations, Legal, and Security teams to drive incident containment and remediation
• Ability to work 8:00am to 4:00pm PST hours Monday through Friday and participate in an on-call rotation (1 weekend per month) and operate effectively during time-sensitive incidents

Key Responsibilities
Key Responsibilities
• Lead escalated, high-severity incident investigations from scoping through containment, remediation, recovery, and root-cause analysis
• Determine incident scope and impact across identities, systems, services, cloud environments, applications, and affected assets
• Analyze cloud-native telemetry, SIEM, EDR, NDR, identity logs, application/service logs, and endpoint data where relevant
• Conduct forensic analysis to reconstruct attacker activity and understand how the incident occurred
• Coordinate containment and remediation with Product Engineering, IT, Cloud Operations, Legal, and other cybersecurity teams
• Communicate clear incident findings, risks, actions, and status updates to technical and non-technical stakeholders
• Perform proactive and hypothesis-driven threat hunting across cloud, identity, endpoint, server, and application environments
• Apply threat intelligence to prioritize investigations and improve detection coverage
• Tune detections and improve investigation workflows, incident response playbooks, and response procedures
• Lead cyber defence workstreams within larger security initiatives

Benefits? We have plenty...
• 100% paid premiums for health, dental, and vision coverage
• RRSP contribution match (100% up to 4%)
• 35 days paid time off (11 holidays, 16 vacation days, 3 personal days, 5 sick days)
• Work Away, an opportunity to work & play for 10 weeks in a country of your choice (from a Sage-approved list)
• 18 weeks of paid parental leave for birth, adoption, or surrogacy offered 1 year after your start date
• 5 days paid yearly to volunteer (through Sage Foundation)
• $5,250 tuition reimbursement per calendar year starting 6 months after your hire date
• Sage Wellness Rewards Program (annual fitness reimbursement)
• Library of on-demand career development options and ongoing training offerings

Compensation offered will be determined by factors such as location, level, job-related knowledge, education, and experience. Certain provinces in Canada require job postings to include a reasonable estimate of the salary range applicable to the role. For this role, in those locations, the target base salary range for new hires is C$140,000 to C$170,000. In addition to base salary, employees will participate in a bonus plan (20%) based on company and individual performance. Our talent acquisition team will provide specific opportunities on our bonus or incentive programs. The range listed is just one component of the Sage total compensation package.

#LI-CH1

Function
Global Information Security

Country
Canada

Office Location
Vancouver;Toronto

Work Place type
Hybrid