Incident Response Engineer

About The Position

Requirements

• 1+ years of experience in incident response, security operations, and forensic analysis
• Willingness to lead crisis situations, make data-driven security decisions, and drive technical and operational improvements.
• Knowledge of incident management, root cause analysis, and forensic investigation methodologies.
• Hands-on experience with SIEM (SQL, ELK, etc), SOAR, and EDR (CrowdStrike,) for real-time security monitoring and response.
• Understanding of OKR methodologies, Agile workflows, and project prioritization strategies.
• Understanding of threat intelligence, attacker tactics (MITRE ATT&CK), and real-world attack chains.

Nice To Haves

• Experience in security operations, ensuring effective escalation, resolution, and business alignment.
• Certifications: GCFA, GNFA, GREM, GCIH, or equivalent forensic/security certifications.
• Familiarity with SOAR platforms and security case management automation.
• Experience in Red Teaming, Threat Intelligence, or Malware Analysis.
• Understanding of cloud-native security monitoring (AWS, GCP, Azure).
• Knowledge of cloud security (AWS, GCP, Azure) and containerized workloads (Kubernetes, Docker) security incident handling.

Responsibilities

• Security Operations
• Oversee security event triage, validation, and response workflows, ensuring timely investigation of high-priority alerts and security anomalies.
• Collaborate with detection engineers and threat intelligence teams to refine investigative signals and improve security visibility.
• Maintain incident management processes, ensuring incidents are properly categorized, documented, and escalated as needed.
• Perform continuous operational improvements, such as tuning detection rules, optimizing log ingestion, and enhancing alert enrichment pipelines.
• Conduct security gap analysis, identifying weaknesses in monitoring coverage and recommending solutions to enhance detection and response capabilities.
• Work closely with engineering and infrastructure teams to improve log collection, normalization, and visibility across diverse environments.
• Ensure adherence to incident response playbooks, compliance standards, and security best practices (e.g., CISA, GDPR, NIST, ISO 27001).
• Incident Investigation & Threat Hunting
• Lead/Co-Lead forensic investigations into intrusions, insider threats, APTs, and account compromises.
• Perform log analysis, correlation, and anomaly detection across endpoint, network, and cloud telemetry.
• Use Python, SQL, and data engineering techniques to extract insights from large-scale logs, identifying attacker TTPs and movement across environments.
• Investigate real-time security incidents, working closely with detection teams to validate alerts and escalate threats.
• Conduct post-incident analysis to determine root causes, document findings, and recommend mitigation strategies.
• Security Monitoring & Continuous Threat Analysis
• Oversee security monitoring operations, ensuring alert triage, enrichment, and validation align with investigative workflows.
• Optimize SIEM queries, log ingestion pipelines, and case management systems to improve threat visibility.
• Develop playbooks and workflows to streamline investigations and reduce manual effort in repetitive tasks.
• Maintain Standard Operating Procedures (SOPs) for effective response to security alerts and ongoing monitoring.
• Collaborate with the Detection Engineering team to refine detection rules and investigative signals based on real-world attack patterns.
• Security Engineering & Automation for Investigations
• Provide requirements for automated solutions to enhance investigation efficiency, such as log parsing scripts, data enrichment tools, and case correlation frameworks.
• Use log analysis pipelines for efficient parsing, enrichment, and correlation of multi-source security data.
• Review and comprehend custom detection logic for brute-force attempts, lateral movement, and anomaly-based intrusion detection.
• Forensic Analysis & Threat Intelligence Correlation
• Perform disk, memory, and network forensics to uncover hidden indicators of compromise (IOCs) and attacker behaviors.
• Correlate multi-source logs (firewall, EDR, web, authentication logs, cloud telemetry) to reconstruct attack chains and identify attacker footholds.
• Analyze network traffic (PCAP, NetFlow, proxy logs) to detect exfiltration attempts, lateral movement, and suspicious patterns.
• Use threat intelligence APIs (e.g., VirusTotal, AbuseIPDB) to enrich investigations and automate IOC processing.