Lead Security Analyst, Cloud & Endpoint Incident Response

About The Position

Requirements

• Strong understanding of software engineering fundamentals, including code structure, build systems, dependencies, and package ecosystems—enabling effective partnership with Engineering teams.
• Understanding of CI/CD pipelines and DevOps workflows, enabling collaboration with Infrastructure and DevOps teams.
• Solid knowledge of cloud architecture, especially Amazon Web Services (AWS) services used in modern cloud-native deployments.
• Hands-on experience responding to AWS security incidents, including investigation and containment actions.
• Familiarity with SaaS architectures, identity systems, and integration patterns for effective collaboration with Cloud Security teams.
• Proven experience leading complex security incidents across cloud and endpoint environments.
• Strong understanding of identity and access concepts (IAM roles, federation, OAuth, privilege escalation patterns).
• Experience using a SIEM for investigations and detection development (Splunk preferred).
• Comfortable scripting or automating in Python to accelerate investigations and response workflows.
• Strong Linux investigation skills; solid working knowledge of macOS and Windows.

Nice To Haves

• Experience operating in multi-account AWS environments and building practical IR workflows for scale (centralized logging, access patterns, guardrails).
• Familiarity with AWS security services beyond core telemetry (e.g., Security Hub, Detective, Config, Macie).
• Familiarity with Kubernetes, containers, serverless infrastructure, or modern distributed systems.
• SOAR experience building reliable, auditable automations and response workflows.

Responsibilities

• Track emerging threats (active exploitation, 0-days, vendor advisories, high-risk CVEs) and quickly assess relevance to our AWS environment and endpoints.
• Triage external and internal inputs (customer-reported issues, bug bounty reports, security research, escalations) and drive them through validation, investigation, and mitigation when risk is confirmed.
• Translate threat intelligence into practical actions: containment guidance, detection updates, and prioritized remediation.
• Lead and execute high-severity security incidents across AWS, endpoints, identity, and SaaS environments.
• Drive incidents from initial signal through scoping, containment, eradication, recovery, and post-incident review.
• Reconstruct attacker activity by correlating AWS and endpoint evidence to determine initial access, persistence, privilege escalation, lateral movement, and impact.
• Produce clear incident documentation (timelines, findings, evidence, and actionable recommendations) for both technical and non-technical stakeholders.
• Investigate AWS incidents including IAM abuse, credential compromise, control-plane attacks, persistence mechanisms, and lateral movement.
• Use AWS telemetry to scope and confirm activity, including CloudTrail, CloudWatch Logs, VPC Flow Logs, IAM, and GuardDuty.
• Lead investigations involving common AWS compromise patterns
• Execute containment actions across cloud surfaces, including credential/session revocation, policy/role changes, resource quarantine, and access tightening, balancing speed with service impact.
• Identify visibility and telemetry gaps and work with engineering teams to close them (logging coverage, retention, alerting, access model for incident response).
• Improve detection coverage across AWS and endpoint environments by validating detections against real-world attack scenarios and incident learnings.
• Partner with detection engineering to test and deploy new detections, tune noisy detections, and strengthen investigation context.
• Build and maintain investigation and response automation using SOAR tools and scripting.
• Develop and evolve AWS and endpoint incident response playbooks and ensure they’re usable under pressure.
• Partner with Engineering, SRE, and IT to implement mitigations, including infrastructure configuration changes and application-level fixes when needed.
• Track corrective actions to completion and ensure incident learnings translate into durable prevention (not just documentation).