SOC CTIC Lead - SME

About The Position

Requirements

• U.S. Citizenship is required
• Security Clearance: Secret Eligible
• Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder — Intermediate proficiency; must hold ONE OR MORE of the following: CEH(P), ECIH, GRID, RCCE Level 1, CBROPS, CCSP, CEH, Cloud+, FITSP-O, GCED, GCIH, GSEC, PenTest+, Security+
• 7+ years of experience in cybersecurity
• Bachelors degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering
• Demonstrated experience performing evidence collection, forensic acquisition, and analysis of host and network artifacts during cyber incident investigations.
• Experience supporting malware triage, technical root-cause analysis, containment actions, and recovery validation in operational cybersecurity environments.
• Ability to produce complete, accurate, and timely incident documentation, technical findings, and after-action reporting aligned to continuous monitoring and cybersecurity operations requirements.
• Experience working within enterprise cybersecurity operations supporting incident escalation, case management, and coordination across analysts, responders, engineers, and service owners.
• Familiarity with cybersecurity monitoring and analysis environments using technologies and data sources referenced in ENOCS operations, including USIEM, EDR, IDS/IPS, and related security telemetry.
• Experience supporting investigations and reporting in environments governed by DoD and ARNG cybersecurity policy, including classified and unclassified operational contexts.
• Ability to analyze security events and artifacts to determine incident scope, affected assets, and recommended response actions across large enterprise environments.
• Experience contributing to lessons learned, remediation follow-up, and continuous improvement activities after cyber incident response actions.

Responsibilities

• Conduct cyber incident response investigations through evidence collection, forensic acquisition, and analysis of host and network artifacts in support of ARNG defensive cyberspace operations.
• Perform malware triage and root-cause analysis to determine incident scope, identify affected systems, and support containment and recovery actions.
• Document investigative actions, technical findings, and incident outcomes in incident tracking and case management systems to support reporting, governance, and after-action requirements.
• Support recovery validation by verifying remediation actions, confirming restoration status, and helping ensure incidents are fully resolved before closure.
• Coordinate incident handling activities with SOC Tier 2 personnel, CIRT, watch officers, problem and change processes, and other cybersecurity operations stakeholders as required.
• Leverage security data and enterprise monitoring outputs from environments such as USIEM, EDR, IDS/IPS, and related analytics to support investigation, correlation, and incident determination.
• Apply MITRE ATT&CK-informed analysis and available telemetry such as Sysmon and Zeek metadata to help identify adversary tactics, techniques, and procedures and improve incident understanding.
• Support coordination and reporting associated with incidents affecting ARNG classified and unclassified enclaves, including environments tied to SIPRNet operations and broader DoDIN-A(NG) mission support.
• Assist with post-incident reporting and lessons learned documentation to strengthen continuous monitoring, improve defensive measures, and inform follow-on cyber defense activities.
• Coordinate, as needed, with external mission partners and cyber organizations identified in ENOCS operations, including the NETCOM Global Cyber Center and DISA DCDC, in accordance with incident handling procedures.