Cyber Incident Response Team (CIRT) Lead (SME)

About The Position

Requirements

• Minimum of 12 years with BS/BA; Minimum of 10 years with MS/MA; Minimum of 7 years with Ph.D.
• Clearance: Active TS/SCI clearance.
• Candidate must meet ONE of the following:
• Master’s degree or Ph.D. in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, Software Engineering, or a related field; OR
• Relevant DoD/military training (examples: 4‑11‑C32‑255S (CP), 4C‑255N (CP), 4C‑255A (CP)); OR
• Relevant professional certification or equivalent experience (examples: CFR, CySA+, GCFA, GCIA, GICSP).
• Cybersecurity operations, incident response, or advanced cyber investigations experience with at least 7 years in senior CIRT/SOC leadership or technical authority roles supporting enterprise or DoD environments.
• Proven expertise in forensic collection/analysis, packet capture and network forensic techniques, EDR/XDR operations, malware analysis, and adversary TTP mapping.
• Demonstrated ability to coordinate multi‑stakeholder responses with ARCYBER, NETCOM, DISA, RCC‑ARNG, and other mission partners.
• Experience developing and validating enterprise incident playbooks, SOAR playbooks, escalation matrices, and evidence handling practices that meet RMF/ATO and legal standards.
• Strong executive briefing skills and experience producing decision‑grade incident reports, AARs, and remediation roadmaps.
• Track record running large‑scale exercises (tabletop, purple team, red/blue) and driving measurable improvements in detection and response metrics.

Nice To Haves

• Prior experience as a CIRT technical authority or senior incident commander in DoD/Army/ARNG environments.
• Experience integrating threat intelligence programs and hunt teams into incident response operations.
• Familiarity with legal/forensic admissibility considerations and working with external partners for cross‑boundary investigations.

Responsibilities

• Provide enterprise technical authority for cyber incident response: establish doctrine, escalation frameworks, investigative standards, and adjudication processes aligned with DoD, Army, and NIST guidance.
• Advise senior leadership during high‑severity incidents on containment strategy, operational risk, recovery priorities, and risk tradeoffs.
• Oversee development, validation, and lifecycle management of incident response playbooks, forensic methodologies, adversary mapping techniques, and chain‑of-custody procedures to ensure defensible investigative outcomes.
• Integrate threat intelligence, threat hunting insights, and vulnerability data into enterprise response strategy to improve detection fidelity and inform remediation priorities.
• Guide optimization and architectural alignment of SOC/CIRT tooling (EDR/XDR, SOAR, forensics, packet capture) to ensure operational readiness and scalability.
• Direct cross‑organizational coordination with RCC‑ARNG, NETCOM, ARCYBER, engineering, and mission stakeholders for synchronized response and long-term remediation.
• Lead after‑action analysis, produce executive incident reports and AARs, and drive corrective action planning to address detection gaps and architectural weaknesses.
• Oversee readiness exercises, purple/red/blue team activities, and continuous improvement programs to mature response capabilities and reduce MTTD/MTTR.
• Mentor CIRT leadership, establish metrics/KPIs for response effectiveness, and maintain evidence and reporting practices for RMF/ATO and legal/audit requirements.