Principal Consultant, Cloud DFIR (Unit 42)
About The Position
The Principal Consultant, Cloud DFIR, Reactive Services is a senior individual contributor within Unit 42 responsible for leading cloud-focused incident response and digital forensics investigations across AWS, Azure, GCP, and hybrid enterprise environments. In this role, you will serve as a technical lead on active incidents, partnering with Consulting Directors and clients to investigate security breaches, determine scope and impact, contain threats, and guide recovery efforts. You will perform advanced cloud forensic analysis, identify attacker activity, and provide actionable remediation recommendations during high-severity cybersecurity events. This role is remote, but distance is no barrier to impact. Our hybrid teams collaborate across geographies to solve big problems, stay close to our customers, and grow together. You will be part of a culture that values trust, accountability, and shared success where your work truly matters.
Requirements
- 6–8+ years of experience in DFIR, incident response, cloud security, or related cybersecurity disciplines.
- 3+ years of hands-on experience securing, operating, or investigating AWS, Azure, or GCP environments.
- Experience leading investigations involving cloud breaches, ransomware, advanced intrusions, or data compromise incidents.
- Strong understanding of cloud architecture, IAM, networking, logging, and security controls.
- Experience analyzing cloud-native telemetry such as AWS CloudTrail, Azure Activity Logs, Microsoft Entra ID, or Google Cloud Audit Logs.
- Hands-on experience with industry-standard DFIR and investigative tools.
- Experience investigating Windows, Linux, macOS, cloud workloads, and hybrid environments.
- Strong client-facing communication and consulting skills.
Nice To Haves
- Experience responding to enterprise-scale cloud security incidents.
- Knowledge of cloud security platforms such as AWS Security Hub, GuardDuty, Microsoft Defender, Sentinel, or Google Security Command Center.
- Experience investigating containerized or Kubernetes environments.
- Knowledge of MITRE ATT&CK and modern cloud threat actor tradecraft.
- Consulting, MDR, or professional services experience.
- Certifications such as GCFA, GCIH, CISSP, AWS Security Specialty, Azure Security Engineer, or equivalent.
- Ability to travel up to 20% as required for client engagements.
Responsibilities
- Lead cloud-focused incident response and digital forensics engagements.
- Investigate attacks involving cloud infrastructure, identity compromise, ransomware, data theft, and unauthorized access.
- Analyze cloud telemetry, including audit logs, IAM activity, network traffic, storage access, containers, and endpoint data.
- Conduct forensic acquisition and analysis across cloud, hybrid, and enterprise environments.
- Serve as a technical lead during active investigations, guiding strategy and client communications.
- Deliver clear findings, executive-ready reporting, and remediation guidance.
- Support development of cloud investigation methodologies, playbooks, and tooling.
- Mentor team members and contribute to knowledge sharing across Unit 42.
Benefits
- A description of our employee benefits may be found here.
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Senior
Education Level
No Education Listed
