Insider Risk & Data Protection Engineer

About The Position

Requirements

• 8+ years of relevant experience with a Bachelor's degree in Cybersecurity, Information Systems, Intelligence, Criminal Justice, or related field
• 12+ years of relevant experience may be considered in lieu of degree.
• Minimum 5 years of combined experience across DLP administration, insider risk / user activity monitoring, digital forensics, or cybersecurity incident response.
• Minimum 3 years hands-on experience administering an enterprise DLP platform (e.g., Microsoft Purview, Symantec/Broadcom DLP, Forcepoint, Zscaler, Netskope, or equivalent), including policy authoring and tuning.
• Demonstrated experience conducting digital activity reviews or insider-risk investigations, including correlating data across endpoint, email, network, and cloud sources.
• Working knowledge of CUI handling requirements, DFARS 252.204-7012, and NIST SP 800-171.
• Basic proficiency with at least one scripting language (Python, PowerShell, KQL, SPL, or equivalent) for log analysis, automation, or data wrangling.
• Strong written and verbal communication skills, including the ability to translate technical findings into clear, audience-appropriate narratives for HR, Legal, and leadership.
• Strong attention to detail, sound judgment, discretion, and professional demeanor when handling sensitive matters.
• US Citizenship required.
• Ability to obtain a Top Secret security clearance.
• Ability to attend in-person meetings on occasion in Reston, VA.

Nice To Haves

• Experience supporting cybersecurity operations within a government contractor, DoD, or other regulated environment.
• Hands-on experience with EDR (e.g., CrowdStrike, Defender for Endpoint, SentinelOne) and SIEM (e.g., Splunk, Sentinel) for investigative workflows.
• Experience with insider risk platforms or UAM tools (e.g., Microsoft Purview Insider Risk Management, DTEX, Proofpoint ITM, Everfox/Forcepoint Insider Threat).
• Familiarity with digital forensics fundamentals (disk, memory, network, and cloud artifacts) and chain-of-custody practices.
• Experience reporting cyber incidents to DC3/DCISE or supporting customer cyber incident notifications.
• Relevant certifications such as GCFE, GCFA, GCIH, GCIA, CFE, CCFP, CISSP, CISM, or vendor-specific DLP/EDR certifications.

Responsibilities

• Administer, tune, and expand coverage of the enterprise DLP platform(s) across endpoint, email, network, cloud, and SaaS channels.
• Build, test, and refine DLP policies, rules, classifications, and detection use cases aligned to insider risk scenarios and regulatory drivers (CUI, DFARS, ITAR/EAR, PII, IP).
• Triage DLP alerts, reduce false positives, and continuously improve alert fidelity and analyst workflow.
• Support onboarding of new data sources, business units, and telemetry feeds into the DLP and user activity monitoring stack.
• Document standard operating procedures, runbooks, and configuration baselines for the DLP program.
• Conduct digital activity reviews of user behavior, data movement, and endpoint activity in support of insider risk inquiries, HR referrals, Legal holds, and management-requested reviews.
• Correlate activity across DLP, EDR, SIEM, identity, email, and cloud audit logs to build clear, fact-based timelines.
• Produce concise written findings appropriate for HR, Legal, and security leadership audiences.
• Maintain defensible documentation, chain-of-custody, and evidence-handling practices throughout each review.
• Serve as a primary responder for data spills and suspected compromises involving CUI, export-controlled, proprietary, or other sensitive data.
• Execute containment, eradication, and sanitization actions in accordance with DFARS 252.204-7012, NIST SP 800-171, and Peraton internal incident response procedures.
• Coordinate notifications and reporting obligations (e.g., DoD Cyber Crime Center / DC3 reporting timelines, customer notifications) with Legal, Contracts, Program Security, and the CSOC.
• Maintain incident records, lessons-learned, and after-action reporting; recommend control improvements to prevent recurrence.
• Partner with the CSOC, IT Operations, Privacy, Legal, HR, and Program Security on cross-functional investigations and response actions.
• Contribute to development of insider risk policies, standards, awareness content, and training.
• Support data analytics, automation, and scripting initiatives that improve investigative efficiency and metrics.
• Provide periodic reporting on DLP, digital activity review, and data spill metrics to IRDP leadership.
• Periodic on-call responsibilities in support of after-hours data spill and insider risk events.

Benefits

• Overtime
• Shift differential
• Discretionary bonus