Senior Cyber Incident Responder

Gainwell Technologies LLC

1d•Remote

About The Position

Be part of a team that unleashes the power of leading-edge technologies to help improve the health and well-being of those most vulnerable in our country and communities. Working at Gainwell carries its rewards. You’ll have an incredible opportunity to grow your career in a company that values work flexibility, learning, and career development. You’ll add to your technical credentials and certifications while enjoying a generous, flexible vacation policy and educational assistance. We also have comprehensive leadership and technical development academies to help build your skills and capabilities. SummaryThe Senior Cyber Incident Responder is a senior-level, hands-on responder responsible for leading and executing incident response activities. This role investigates security alerts and confirmed incidents, performs rapid triage and containment, drives eradication and recovery actions, and produces high-quality incident documentation suitable for technical, executive, and regulatory audiences. This position requires strong technical depth across endpoint, network, and identity-focused incidents, expert-level analytical skills, and the ability to coordinate responders and stakeholders under time pressure. The Senior Cyber Incident Responder works closely with the SOC, Vulnerability Management, Threat Intelligence, IT Operations, and engineering teams to reduce dwell time, prevent recurrence, and continuously improve detection and response capabilities.Your role in our mission

Requirements

7–10+ years of overall IT/security experience, including 4–6+ years in incident response, SOC, threat hunting, or security operations.
Demonstrated experience leading investigations across common incident types (credential theft, malware/ransomware, web exploitation, data exposure, cloud/identity abuse).
Strong working knowledge of: Enterprise logging and detection (e.g., Splunk or similar SIEM) Incident workflow/case management (e.g., ServiceNow or comparable platforms) Identity and access patterns (AD/Azure AD concepts, authentication logs, privilege pathways) Network security fundamentals (firewalls, proxies, segmentation, VPN access patterns)
Proven ability to analyze log sources and security telemetry to reconstruct attack paths and identify blast radius.
Working knowledge of industry frameworks and standards such as NIST 800-61 (Incident Response), MITRE ATT&CK, and common secure operations practices.
Strong written and verbal communication skills, including executive-ready incident summaries and technically detailed incident reports.
Ability to participate in an on-call rotation and respond effectively during high-severity events.

Responsibilities

Lead investigations from initial alert through closure, including validation, scoping, evidence collection, and root cause analysis.
Act as an incident lead for medium-to-high severity events by coordinating technical responders, maintaining timelines, and driving decisions to completion.
Execute rapid containment actions in partnership with IT and security engineering teams (e.g., isolate endpoints, disable accounts, block IOCs, segment network access, revoke tokens).
Drive eradication plans to remove persistence mechanisms, remediate compromised systems, and validate successful cleanup.
Collect and preserve evidence in a defensible manner (logs, endpoint artifacts, memory/disk captures where appropriate, authentication records, network telemetry).
Analyze endpoint and network indicators to determine initial access vector, lateral movement, privilege escalation, and data access/exfiltration risk.
Integrate threat intelligence (e.g., commercial feeds and OSINT) to enrich investigations with context on active exploitation and adversary tradecraft.
Produce and operationalize IOCs and detection logic based on observed activity and intelligence-driven hypotheses.
Translate incident learnings into durable improvements: detection rules, correlation searches, SIEM content, alert tuning, and response playbooks.
Partner with Vulnerability Management and engineering teams when incidents are linked to exploitable vulnerabilities or misconfigurations (e.g., prioritizing patching/hardening actions).