Principal Lead Analyst, Detection & Response Team (DART)

About The Position

Requirements

• 8+ years in Cybersecurity, with at least 5 years in a dedicated Incident Response or DFIR role.
• Proven experience leading response efforts for a large-scale enterprise or a top-tier IR firm (e.g., Mandiant, CrowdStrike).
• Solid understanding of deep-system forensics (Memory, Disk, Network) and specialized experience in Cloud IR (Azure/AWS/O365).
• Deep familiarity with enterprise forensic platforms (Nuix, Magnet AXIOM, EnCase) and the ability to guide L2 analysts in their usage.
• Expert-level understanding of TTPs (Tactics, Techniques, and Procedures) used by both state-sponsored and financially motivated (Ransomware) threat actors.
• High proficiency in automation (Python, PowerShell) to build custom response scripts or API integrations between security tools.
• The ability to make $1M+ decisions (e.g., "Shut down this data center now") with limited information during a live attack.
• Skill in navigating the complexities of a large organization, working with Legal, Privacy, and Human Resources during sensitive internal investigations.
• Unwavering composure during high-stress, 24/7 incident cycles.

Nice To Haves

• Advanced SANS: GCFA (Forensics)
• Advanced SANS: GNFA (Network Forensics)
• Advanced SANS: GREM (Reverse Engineering Malware)
• Advanced SANS: GXPN (Exploit Researcher)
• Leadership: CISSP-ISSMP (Management)
• Leadership: GCIH (Incident Handler)

Responsibilities

• Serve as the primary Incident Commander for all Tier 3/Critical-level events.
• Direct the technical response across all workstreams (Forensics, Network, Cloud, Legal, and PR).
• Act as the technical voice for executive leadership.
• Translate complex exploit chains and technical risks into business-impact narratives for the C-Suite and Board of Directors.
• Lead "Purple Team" exercises to test DART’s readiness against specific APT (Advanced Persistent Threat) groups and real-world attack scenarios.
• Design and oversee the organization’s long-term threat-hunting roadmap, ensuring coverage across the MITRE ATT&CK framework for Cloud (Azure/AWS), Identity, and On-Prem infrastructure.
• Collaborate with engineering teams to ensure that hunt findings are converted into high-fidelity, automated detections and SOAR (Security Orchestration, Automation, and Response) workflows.
• Direct the consumption of tactical and strategic Threat Intelligence to proactively "harden" the environment before a known threat actor targets the industry.
• Elevate the entire SOC/DART capability by providing technical mentorship to L1 and L2 analysts.
• Responsible for the technical "QA" of the team’s investigative output.
• Evaluate and select next-generation forensic and response technologies.
• Drive the business case for new security investments.
• Lead the "Lessons Learned" process for major incidents, ensuring that root causes result in fundamental shifts in the enterprise security posture.

Benefits

• A range of medical, dental and vision insurance plans
• Mental health support and wellness initiatives
• Retirement benefits options, which vary by location
• Competitive 401(k) Plan offers a generous dollar-for-dollar Company matching contribution of up to 6% of eligible pay and a Company contribution equal to 3% of eligible pay (subject to annual IRS limits and Plan terms)
• Company contributions vest immediately
• Confidential counseling services and resources are available to all employees
• Corebridge matches donations to tax-exempt organizations 1:1, up to $5,000
• Employees may use up to 16 volunteer hours annually to support activities that enhance and serve communities where employees live and work
• Eligible employees start off with at least 24 Paid Time Off (PTO) days so they can take time off for themselves and their families when they need it