Cyber Defense Operations Researcher

About The Position

Requirements

• Relevant PhD and 4 or more years of experience . Or, relevant Master's Degree and 7 or more years of experience . Or, relevant Bachelor's Degree and 9 or more years of experience . Demonstrated in-depth knowledge of laws, regulations, principles, procedures and practices related to specific field. Excellent leadership, communication, problem solving and project management skills. Ability to use various computer software programs.
• Relevant PhD. Or, relevant Master's Degree and 3 or more years of experience . Or, relevant Bachelor's Degree and 5 or more years of experience . Demonstrates broad understanding and wide application of engineering technical procedures, principles, theories and concepts in the field. General knowledge of other related disciplines. Demonstrates leadership in one or more areas of team, task or project lead responsibilities. Demonstrated experience in management of projects. Very good writing, interpersonal and communication skills.
• Must meet educational requirements prior to employment start date.
• Must be able to obtain and maintain a DOE security clearance at the Q/TS/SCI level. A polygraph may be required. Eligibility requirements: To obtain a clearance, an individual must be at least 18 years of age; U.S. citizenship is required except in very limited circumstances. See DOE O 472.2A for additional information.
• Understanding and application of project management principles, concepts, practices, and standards
• Ability to travel as needed up to 25%

Nice To Haves

• Advanced experience in Incident Response, threat hunting, forensics, malware analysis, preferably in critical infrastructure environments.
• Deep understanding of detection engineering and monitoring at enterprise/OT scale; ability to architect solutions.
• Strong proficiency in automation/scripting applied to tooling development and scalable IR workflows.
• Applied expertise in Industrial Control Systems (ICS)/OT systems and energy sector architectures; recognized in this technical space.
• Demonstrated record of producing reproducible research-grade results (peer-reviewed publications, conference papers).
• Skilled communicator able to brief DOE sponsors, industry partners, and senior leadership.
• Proven ability to lead cross-functional research efforts, secure research funding, and mentor staff.
• Hands-on experience in incident response, Security Operation Center (SOC) operations, threat hunting, forensics, or malware analysis.
• Working knowledge of detection and monitoring architectures (SIEM, EDR/XDR, packet capture tools, basic OT visibility).
• Proficiency with scripting/automation languages (Python, PowerShell, Bash) to support workflows.
• Familiarity with ICS/OT and energy sector concepts (Modbus, DNP3, IEC standards) or willingness to learn.
• Demonstrated ability to produce defensible IR findings and contribute to reports and after-action documentation.
• Effective written and verbal communication in multidisciplinary research environments.
• Ability to work independently while collaborating across functional research teams.

Responsibilities

• Lead incident-response and detection research strategy, shaping experiment design, modeling approach, and scientific rigor.
• Architect and direct incident-response exercises spanning IT/OT/cyber-physical environments; develop crisis-response workflows.
• Design, validate, and operationalize advanced detection engineering solutions, drive automation strategy.
• Extend cybersecurity frameworks to produce new research methodologies and defense evaluation techniques.
• Lead forensic investigations; produce reproducible analysis packages suitable for publication/Department of Energy (DOE) deliverables.
• Translate research outcomes into resilience strategies, quantitative performance metrics, and sponsor-ready deliverables.
• Lead proposal development and serve as primary/lead author on technical publications or conference presentations.
• Build and lead cross-functional research teams; set objectives, track deliverables, manage schedules, and brief leadership.
• Guide the development of defensible architecture and automated incident response exercise pipelines in the cyber range.
• Provide sustained mentorship to junior researchers, act as a technical resource and role model within the laboratory.
• Conduct cyber range experimentation to support incident response and detection research (malware/log analysis, defensive modeling).
• Execute incident-response exercises (live-fire, playbook testing, crisis workflows) with guidance from senior staff.
• Develop and refine detection artifacts (Security Information and Event Management (SIEM) rules, use-cases, enrichment logic, automation scripts).
• Apply standard cybersecurity frameworks (MITRE ATT&CK / ICS ATT&CK, NIST IR lifecycle) to inform experiment design.
• Perform forensic evidence collection and contribute timelines, artifacts, and post-incident analysis.
• Document research outcomes and integrate findings into resilience models and incident-response playbooks.
• Contribute written sections to research proposals, reports, and publications.
• Collaborate with interdisciplinary teams (modeling, energy systems, cyber monitoring) to support experimental execution.
• Support development of the cyber range monitoring infrastructure and automation scripts.
• Share knowledge and assist interns or junior researchers when appropriate.

Benefits

• Benefits include medical, dental, and vision insurance; short- and long-term disability insurance; pension benefits; 403(b) Employee Savings Plan with employer match; life and accidental death and dismemberment (AD&D) insurance; personal time off (PTO) and sick leave; paid holidays; and tuition reimbursement.
• NREL employees may be eligible for, but are not guaranteed, performance-, merit-, and achievement- based awards that include a monetary component.
• Some positions may be eligible for relocation expense reimbursement.