Cybersecurity Incident Response Analyst II
Listed on 2026-07-06
-
IT/Tech
Cybersecurity
Applicant must be a U.S. Person (for example, a U.S. citizen or lawful permanent resident / green card holder) eligible to access Controlled Unclassified Information (CUI)
Applicant must be a U.S. Person (for example, a U.S. citizen or lawful permanent resident / green card holder) eligible to access Controlled Unclassified Information (CUI).
Job SummaryWe are seeking a hands‑on Cyber Incident Response Analyst to join a steadily maturing incident response program. In this role, you will be part of a global team operating in a follow‑the‑sun model across regions, supporting incident response through coordinated handoffs. The team operates on the Crowd Strike platform across EDR, NG‑SIEM, SOAR, case management, and Charlotte AI, working closely with an externally managed SOC to support escalated investigations.
As we continue integrating AI capabilities into the platform, lower‑level triage work is handled automatically, allowing analysts to focus on deeper investigation, threat hunting, reporting, and improving how incidents are detected and handled.
Incident Investigation: Investigates and responds to escalated cybersecurity incidents, including validation, scoping, containment, and recovery, while determining root cause, scope, and business impact.
Threat Analysis and Correlation: Analyzes activity across endpoint, network, cloud, and identity systems and correlates data across EDR, SIEM, and other telemetry sources to understand attacker behavior.
SOC Escalation Support: Serves as an escalation point for SOC analysts by guiding investigations, improving triage quality, and helping ensure consistency in analysis.
Threat Hunting: Performs proactive threat hunting using structured queries, threat intelligence, and observed activity to identify suspicious behavior beyond alert‑driven detection.
Detection and Response Improvement: Identifies detection gaps and contributes to improving detections, use cases, workflows, and overall response quality.
Documentation and Reporting: Maintains incident response playbooks, procedures, and investigation documentation, and develops clear incident reports and executive summaries for both technical and non-technical audiences.
Incident Coordination: Takes ownership of investigative work streams during complex incidents and, when needed, assumes the role of incident commander until relieved by senior staff.
Post‑Incident Review: Participates in post‑incident reviews and contributes to applying lessons learned to improve future detection and response.
Other duties as assigned
Investigation Depth: Demonstrates the ability to perform full investigations, including scoping, timeline reconstruction, root cause identification, and impact assessment.
Tool Proficiency: Experience operating within EDR and SIEM platforms and using multiple telemetry sources to conduct investigations.
Crowd Strike
Experience:
Hands‑on experience with the Crowd Strike Falcon platform (EDR, NG‑SIEM, Fusion, or related modules) and familiarity with Falcon Query Language or Log Scale is strongly preferred.Threat Hunting Capability: Experience performing proactive threat hunting and identifying activity outside of alert‑driven workflows.
Multi‑Source Correlation: Ability to correlate activity across endpoint, identity, network, and cloud systems without relying on a single tool.
Framework Awareness: Familiarity with MITRE ATT&CK and structured incident response practices aligned to frameworks such as NIST 800‑61 Rev. 3.
Process Improvement Mindset: Experience improving detections, playbooks, or response workflows based on investigation findings and recurring patterns.
Incident Ownership: Demonstrates the ability to take ownership during incidents and contribute to coordination or leadership of response activities.
Communication: Strong written and verbal communication skills, including the ability to clearly explain what is happening, what it means, and what needs to happen next during active incidents.
Collaboration: Ability to work effectively with SOC, engineering, infrastructure, and security teams to investigate and remediate threats.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).