Investigator - Northern Virginia

SpyCloud•McLean, VA

12h•Hybrid

About The Position

SpyCloud is on a mission to make the internet a safer place by disrupting the criminal underground. SpyCloud’s solutions thwart cyberattacks and protect more than 4 billion accounts worldwide. Cybersecurity is an exciting, evolving space, and being at the forefront of the fight to disrupt cybercrime makes SpyCloud a special place to work. If you’re driven to align your career with a fantastic mission, look no further! SpyCloud collects recaptured breach data, malware-exfiltrated credentials, session cookies, and commercially available information at scale. The Investigations team turns that data into investigative reports and analytical products -- attribution packages, infrastructure assessments, identity exposure reports, and analytical support for government and enterprise customers. This is a customer-facing role supporting government and IC-aligned customers across a range of national security mission areas. The analyst will conduct original investigations, respond to requests for information, deliver training and capability demonstrations to cleared personnel, and develop AI-assisted analytical workflows using SpyCloud's platform and tooling.

Requirements

Bachelor's degree in intelligence studies, computer science, cybersecurity, international relations, criminal justice, or a related field -- or five or more years of equivalent professional experience in lieu of a degree.
Active TS/SCI required.
Five or more years in an all-source, OSINT, or CAI analytical role within a government, defense, or IC-aligned environment.
Demonstrated experience supporting RFI pipelines and delivering analytical reports to operational or program stakeholders.
Prior experience delivering training or capability demonstrations to cleared analytical audiences.
Familiarity with adversary TTPs across one or more threat areas: cyber operations, foreign procurement, critical infrastructure, influence operations, or illicit finance.
Proficient in OSINT collection and CAI analysis: domain research, identity resolution, infrastructure mapping, and entity attribution.
Practical experience incorporating AI and large language models into analytical work, including prompt development and output validation.
Comfortable working with REST APIs and scripted data queries; Python preferred.
Familiarity with commercial investigative platforms and ability to adapt them to new data sources and mission requirements.
Familiarity with adversary analysis frameworks -- including MITRE ATT&CK, the Cyber Kill Chain, and the Diamond Model -- as contextual tools for structuring and communicating investigation findings.
Working knowledge of structured analytic techniques (SATs) for evaluating evidence, surfacing assumptions, and reducing analytical bias.
Writes clear, well-structured analytical reports: BLUF-first, properly sourced, readable by both analysts and senior leaders.
Confident briefing cleared program managers, unit leadership, or senior officials on investigation findings.
Organized and self-directed; able to manage concurrent workstreams without close supervision.

Nice To Haves

Foreign language proficiency in Russian, Mandarin, Farsi, Korean, or Spanish.
Experience with cryptocurrency tracing or illicit finance analysis.
Prior speaking engagements at intelligence or cybersecurity conferences or working groups.

Responsibilities

Conduct all-source investigations using breach data, malware-exfiltrated logs, OSINT, and commercially available information to attribute threat actors, map adversary infrastructure, and assess identity and credential exposure.
Respond to requests for information from government and program stakeholders, producing analytical reports and investigation packages on short timelines.
Analyze infostealer log files to extract credential exposure, behavioral indicators, and infrastructure intelligence relevant to ongoing analytical requirements.
Pivot across SpyCloud data using the Investigations Portal, API, and Python-based notebooks to develop leads and close attribution gaps.
Integrate large language models and AI tooling into investigative workflows -- building prompts, synthesizing multi-source data, and validating outputs against primary evidence.
Develop and document reusable analytical workflows, prompt libraries, and notebook-based processes that improve team throughput and consistency.
Stay current on emerging AI capabilities relevant to OSINT, CAI analysis, and analytical production.
Deliver product training and live capability demonstrations to cleared government personnel, tailoring content to the analytical mission and maturity of each audience.
Build scenario-based training materials and leave-behind products drawn from real investigation findings.
Support onboarding of new customers and users, helping them connect SpyCloud capabilities to their specific analytical requirements.
Track RFI fulfillment, investigative outcomes, and analyst credit usage, reporting results to SpyCloud leadership.
Represent SpyCloud at relevant community events, conferences, and working groups as needed.