SOC CIRT Team Lead - SME

About The Position

Requirements

• U.S. Citizenship is required
• Security Clearance: Secret Eligible
• Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder — Advance proficiency; must hold ONE OR MORE of the following: CFR, CySA+, GCFA, GCIA, GICSP
• 12+ years of experience in cybersecurity
• Masters degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering
• Demonstrated ability to lead cyber incident response activities spanning investigation, containment, eradication, and recovery.
• Experience managing incident communications, escalation actions, and required reporting through all phases of the response lifecycle.
• Experience coordinating forensic analysis and malware analysis activities to support incident scoping, evidence development, and remediation.
• Ability to produce complete incident documentation, after-action reporting, and lessons-learned artifacts that inform continuous improvement.
• Experience operating in a 24x7x365 SOC and cyber defense environment supporting enterprise-scale monitoring and response operations.
• Familiarity with continuous monitoring requirements and maintaining documentation aligned to DoD and ARNG cybersecurity policy.
• Experience working with enterprise security analytics and response capabilities such as SIEM, EDR, IDS/IPS, and related case management workflows.
• Ability to coordinate effectively with cyber operations stakeholders, engineers, watch personnel, and leadership across a distributed enterprise environment.

Responsibilities

• Lead cyber incident response activities by directing investigation, containment, eradication, and recovery actions for security events affecting ARNG classified and unclassified network environments.
• Coordinate Cyber Incident Response Team activities with SOC monitoring and analysis functions to ensure incidents are properly triaged, escalated, documented, and resolved in accordance with ARNG and DoD cybersecurity policy.
• Manage forensic and malware analysis efforts to determine incident scope, identify adversary tactics, techniques, and procedures, and support effective remediation and recovery actions.
• Oversee incident communications and escalation, ensuring timely coordination with internal stakeholders and external organizations as required by severity, mission impact, and reporting criteria.
• Produce incident reports, after-action reviews, and lessons-learned artifacts that improve detection engineering, response procedures, and continuous monitoring across the ENOCS cyber operations mission set.
• Coordinate with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCC stakeholders, as applicable, to support incident analysis, notification, and remediation activities across the DoDIN-Army-NG AOR.
• Leverage operational data from USIEM, EDR, IDS/IPS, and related analytics sources to support incident scoping, response decision-making, and post-incident defensive improvements.
• Ensure required documentation and reporting are completed in support of Task 3 deliverables for cyber incident response and digital media analysis, while maintaining alignment with continuous monitoring and RMF-related evidence needs.
• Support the refinement of response playbooks, escalation procedures, and threat-informed defensive processes to improve the speed and quality of ARNG incident response operations.