Senior Cyber Incident Responder

Summary

The Senior Cyber Incident Responder is a senior-level, hands-on responder responsible for leading and executing incident response activities. This role investigates security alerts and confirmed incidents, performs rapid triage and containment, drives eradication and recovery actions, and produces high-quality incident documentation suitable for technical, executive, and regulatory audiences.

This position requires strong technical depth across endpoint, network, and identity-focused incidents, expert-level analytical skills, and the ability to coordinate responders and stakeholders under time pressure. The Senior Cyber Incident Responder works closely with the SOC, Vulnerability Management, Threat Intelligence, IT Operations, and engineering teams to reduce dwell time, prevent recurrence, and continuously improve detection and response capabilities.

Your role in our mission

1. Incident Triage, Investigation, and Leadership

• Lead investigations from initial alert through closure, including validation, scoping, evidence collection, and root cause analysis.
• Act as an incident lead for medium-to-high severity events by coordinating technical responders, maintaining timelines, and driving decisions to completion.

2. Containment, Eradication, and Recovery Coordination

• Execute rapid containment actions in partnership with IT and security engineering teams (e.g., isolate endpoints, disable accounts, block IOCs, segment network access, revoke tokens).
• Drive eradication plans to remove persistence mechanisms, remediate compromised systems, and validate successful cleanup.

3. Digital Forensics and Evidence Handling

• Collect and preserve evidence in a defensible manner (logs, endpoint artifacts, memory/disk captures where appropriate, authentication records, network telemetry).
• Analyze endpoint and network indicators to determine initial access vector, lateral movement, privilege escalation, and data access/exfiltration risk.

4. Threat Intelligence and Adversary Tracking

• Integrate threat intelligence (e.g., commercial feeds and OSINT) to enrich investigations with context on active exploitation and adversary tradecraft.
• Produce and operationalize IOCs and detection logic based on observed activity and intelligence-driven hypotheses.

5. Detection Improvement and Preventative Controls

• Translate incident learnings into durable improvements: detection rules, correlation searches, SIEM content, alert tuning, and response playbooks.
• Partner with Vulnerability Management and engineering teams when incidents are linked to exploitable vulnerabilities or misconfigurations (e.g., prioritizing patching/hardening actions).

What we're looking for

• 7–10+ years of overall IT/security experience, including 4–6+ years in incident response, SOC, threat hunting, or security operations.
• Demonstrated experience leading investigations across common incident types (credential theft, malware/ransomware, web exploitation, data exposure, cloud/identity abuse).
• Strong working knowledge of:
• Enterprise logging and detection (e.g., Splunk or similar SIEM)
• Incident workflow/case management (e.g., ServiceNow or comparable platforms)
• Identity and access patterns (AD/Azure AD concepts, authentication logs, privilege pathways)
• Network security fundamentals (firewalls, proxies, segmentation, VPN access patterns)
• Proven ability to analyze log sources and security telemetry to reconstruct attack paths and identify blast radius.
• Working knowledge of industry frameworks and standards such as NIST 800-61 (Incident Response), MITRE ATT&CK, and common secure operations practices.
• Strong written and verbal communication skills, including executive-ready incident summaries and technically detailed incident reports.

Ability to participate in an on-call rotation and respond effectively during high-severity events.

What you should expect in this role

• Remote position (California only)
• Local candidates from California only
• Opportunities to travel through your work (0-10%)
• Video cameras must be used during all interviews, as well as during the initial week of orientation
• The deadline to submit applications for this posting is 4/30/2026