Cyber Defense Operations Researcher Security Clearance

Position: Cyber Defense Operations Researcher with Security Clearance
Working at NREL
NREL is located at the foothills of the Rocky Mountains in Golden, Colorado is the nation's primary laboratory for energy systems research and development.
Join NREL, where world-class scientists, engineers, and experts are accelerating energy innovation through breakthrough research and systems integration. From our mission to our collaborative culture, NREL stands out in the research community for its commitment to an affordable and secure energy future. Spanning foundational science to applied systems engineering and analysis, we focus on solving complex challenges to deliver advanced, secure, reliable, and cost-effective energy solutions.

Our work helps strengthen U.S. industries, support job creation, and promote national economic growth.
At NREL, you’ll find a mission-driven environment supported by state-of-the-art facilities, multidisciplinary research teams, and strong collaborations with industry, academia, and other national laboratories. We offer robust professional development opportunities, and a competitive benefits package designed to support your career and well-being.

Job Description
This position is located in Colorado and requires the selected candidate to reside in Colorado. A hybrid work schedule is required, with regular weekly onsite presence. Relocation benefits are available.
NREL is seeking a mid-career cyber defense operations researcher to join its Cybersecurity Research Center (CRC). The CRC conducts applied research at the intersection of cybersecurity, energy systems, and national resilience—developing the tools, methods, and scientific foundations necessary to secure and sustain the nation’s evolving energy infrastructure. CRC research spans incident response (IR) and threat detection, operational technology (OT) risk analysis, cyber-physical resilience testing, malware and artifact analysis, and defense science.

Working across NREL’s energy, grid, and systems integration missions, the CRC leverages unique laboratory assets—including the ARIES Cyber Range—to conduct high-fidelity cyber defense exercises and modeling that integrate Information Technology (IT), OT, and hybrid energy system architectures. We are seeking a technically strong and research-focused professional to advance incident response science, detection engineering, and defensive experimentation. The successful candidate will possess hands-on experience responding to cyber incidents, conducting forensic analysis, and translating findings into improved detection logic, playbooks, and system-level resilience strategies.

Key Research Responsibilities:
Researcher IV
• Lead incident-response and detection research strategy, shaping experiment design, modeling approach, and scientific rigor.
• Architect and direct incident-response exercises spanning IT/OT/cyber-physical environments; develop crisis-response workflows.
• Design, validate, and operationalize advanced detection engineering solutions, drive automation strategy.
• Extend cybersecurity frameworks to produce new research methodologies and defense evaluation techniques.
• Lead forensic investigations; produce reproducible analysis packages suitable for publication/Department of Energy (DOE) deliverables.
• Translate research outcomes into resilience strategies, quantitative performance metrics, and sponsor-ready deliverables.
• Lead proposal development and serve as primary/lead author on technical publications or conference presentations.
• Build and lead cross-functional research teams; set objectives, track deliverables, manage schedules, and brief leadership.
• Guide the development of defensible architecture and automated incident response exercise pipelines in the cyber range.
• Provide sustained mentorship to junior researchers, act as a technical resource and role model within the laboratory. Researcher III
• Conduct cyber range experimentation to support incident response and detection research (malware/log analysis, defensive modeling).
• Execute incident-response exercises (live-fire, playbook testing, crisis workflows) with guidance from senior staff.
• Develop and refine detection artifacts (Security Information…