Sr Incident Responder

About The Position

Requirements

• 5+ years of hands-on incident response experience with direct investigation ownership — candidates should understand the difference between owning an investigation and working a SOC queue
• Proven ability to operate independently: prioritize without direction, drive investigations to closure, and make sound judgment calls under ambiguity
• Experience working alongside or managing an MSSP or managed SOC — comfortable defining what escalates, setting investigation standards, and serving as the technical authority on complex cases
• Deep SIEM proficiency; able to write complex queries and correlate across heterogeneous log sources
• Host forensics fluency across Windows, Linux, and macOS: process execution, persistence mechanisms, lateral movement artifacts, and platform-native log sources.
• Demonstrated automation experience — scripting languages, SOAR platforms, or both — applied to real investigative and detection workflows; this is a core expectation of the role, not a bonus
• Strong written communication; case notes and summaries that hold up to peer review, legal scrutiny, and executive reading
• Comfort operating in environments where tooling and processes are still maturing; able to build structure and make progress without waiting for perfect conditions

Nice To Haves

• Cloud IR experience in AWS a plus.
• Experience contributing to detection engineering, mentoring junior analysts, or working in multi-tenant or post-merger environments is a plus.

Responsibilities

• Lead high-severity and complex investigations alongside the managed SOC — serving as the senior escalation point for cases that require deeper analysis, cross-platform pivoting, or containment decisions beyond standard playbook scope
• Perform host-based triage and forensic analysis across Windows, Linux, and macOS, and conduct cloud-native IR across AWS and Azure — pivoting fluently between endpoint, identity, infrastructure, and network telemetry.
• Integrate threat intelligence into active investigations and operationalize it proactively — use adversary TTPs, IOC context, and external monitoring to sharpen scope, accelerate attribution, and surface threats before they become incidents
• Make and execute containment decisions — account disabling, host isolation, infrastructure blocking — and drive those actions through coordination with relevant teams
• Partner with SOAR and automation engineers to design and build automated response workflows — translate what you learn in investigations into playbooks, enrichment pipelines, and containment automations the SOC can execute at scale
• Identify repetitive investigative tasks and own their elimination — write the scripts, build the integrations, and design the workflow tools that reduce toil for the entire team
• Define what automated response should look like for specific threat categories; work with engineering to implement it and validate that it holds up against how investigations actually unfold
• Contribute detection logic informed by investigation findings — close the loop between what you observe in cases and what the team catches next time
• Calibrate the SOC's triage thresholds and escalation criteria; raise the floor on case documentation quality through direct review and feedback
• Produce case notes, post-incident summaries, and leadership briefs that are reproducible, defensible, and readable by a non-technical audience

Benefits

• This position is eligible for company sponsored benefits, including medical, dental and vision insurance, 401(k), paid leave, tuition reimbursement, and a variety of other discounts and perks.