Cyber Incident Response Analyst SME

Description

This Department of War enterprise data and analytics program delivers mission‑critical capabilities that enable leaders across the Department to make faster, better‑informed decisions using trusted data dos Digital Modernization sector is seeking an experienced SME Cyber Incident Response Analyst to support the delivery, enhancement, and adoption of enterprise data and analytics products used across multiple DoD organizations.

• Monitor, detect, analyze, mitigate, and respond to cyber threats across the enterprise.
• Lead incident detection and response activities at the Trusted Internet Connection (TIC) and Policy Enforcement Point (PEP).
• Coordinate efforts through the enterprise incident tracking system and established communication channels.
• Provide expert investigative support for large‑scale and complex security incidents, including those lacking clear technical indicators.
• Work with cybersecurity, network, and operations teams to ensure timely containment, remediation, and reporting of all incidents.
• Implement and operate access management mechanisms to control user access to data, tools, and services, including automation of standard access requests and support for VIPs.
• Collect, analyze, and assess user and customer analytic data to inform system changes and improvements.
• Design, implement, and improve the customer experience with the User Support Desk, including automation of access requests and integration of modern tools.

• Top Secret with SCI eligibility security clearance
• Bachelor degree or higher from an accredited college or university OR Offerings listed in DoD 8140 Training Repository ORGCFA or GCIA
• Minimum of 12 years of experience in cybersecurity incident response.
• Strong knowledge of cybersecurity frameworks and standards (e.g., NIST, ISO).
• Proficiency in using cybersecurity tools and technologies for monitoring and incident response.
• Experience with network security monitoring, intrusion detection systems, and security information and event management (SIEM) tools.
• Excellent analytical and problem‑solving skills.
• Strong communication and coordination skills to work effectively with various teams.

• Active TS/SCI
• Master's degree in Cybersecurity or a related field.
• Certifications such as CISSP, CISM, CEH, or GIAC.
• Experience with cloud security and familiarity with AWS Gov Cloud/NIPRNet, SC2S AWS Secret Region Cloud for SIPRNet, and C2S AWS Cloud for JWICS environments.
• Knowledge of automation tools and techniques, including AI chatbots and Robotic Process Automation (RPA).
• Experience in designing and implementing disaster recovery and continuity of operations plans.
• Familiarity with customer relationship management and use case intake processes.

Pay Range $ - $

Pay and benefits are fundamental to any career decision. That's why we craft compensation packages that reflect the importance of the work we do for our customers. Employment benefits include competitive compensation, Health and Wellness programs, Income Protection, Paid Leave and Retirement. More details are available at

All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law. Leidos will also consider for employment qualified applicants with criminal histories consistent with relevant laws.

If you have concerns about a potential scam, contact your local law enforcement and report the incident to the U.S. Federal Trade Commission. If you suspect fraudulent emails or requests, email

Original Posting:
March 30, 2026. For U.S. Positions:
While subject to change based on business needs, Leidos reasonably anticipates that this job requisition will remain open for at least 3 days with an anticipated close date of no earlier than 3 days after the original posting date as listed above.