SOC​/Incident Report Engineer

Who We Are

At Benesch we pride ourselves on exceeding expectations and building trust not only with our clients but with our employees - Benesch's #1 asset. Committed to providing the highest level of legal service to our clients, Benesch also aspires to create a positive work environment for our employees. Our Firm continues to earn placement on Chicago and Cleveland's Top Workplaces list, along with Cleveland's North Coast 99 Top Workplaces rankings.

We also continue to advance on the AmLaw 150 list, placing us among the top 150 law firms in the country.

We are one of the fastest growing firms in the nation, with offices in Chicago, Columbus, San Francisco, New York City, and Wilmington. We continue to expand our geographic footprint and value the talent that comprises each of our locations. If you are someone who champions a First in Service approach and are ready to be part of an exciting and growing Firm, we would invite you to apply to join our team.

Want to know more? To hear from some of our team, :

Benesch is proud to announce the opening for a SOC/Incident Report Engineer in our Chicago office! This position is hybrid and has work from home flexibility.

Are you excited about detecting and resolving cybersecurity threats and incidents? Do you find it a challenge to help an organization reduce threats and enhance their security? Does working with teams to develop strategies to improve detection capabilities interest you? Then you may be interested in our SOC/Incident Report Engineer position.

The SOC/Incident Response Engineer is responsible for detecting, investigating, and responding to cybersecurity incidents across the Firm. This role combines threat detection, digital forensics, malware triage, and cloud security expertise to protect organizational assets, reduce risk, and strengthen security posture. The SOC/Incident Response Engineer will operate within a 24/7 security operations environment, collaborating with cross-functional teams to analyze threats, develop response strategies, and improve detection capabilities.

• Monitors SIEM, EDR, NDR, and cloud-native security tools to identify suspicious activity and potential security incidents.
• Creates, tunes, and optimizes detection rules, correlation logic, and analytic use cases.
• Conducts threat hunting based on emerging TTPs, threat intel, and anomaly patterns.
• Maintains and improves alerting fidelity to reduce false positives and enhance detection precision.

• Performs initial triage of security alerts to assess severity, impact, and required response actions.
• Leads full incident lifecycle activities including investigation, containment, eradication, recovery, and post‑incident analysis.
• Coordinates with IT, cloud, and business teams to execute IR playbooks and minimize operational impact.
• Documents incidents, findings, and lessons learned; contributes to after‑action reviews.

• Conducts forensic acquisition and analysis of endpoints, servers, cloud resources, and network artifacts (disk, memory, logs).
• Examines artifacts such as registry hives, event logs, file systems, network captures, browser history, and persistence mechanisms.
• Performs malware triage (dynamic and static) to determine malware behavior, indicators of compromise, and propagation mechanisms.
• Maintains chain‑of‑custody processes and ensures forensic data integrity for potential legal or compliance requirements.

• Monitors and responds to security events within cloud environments (e.g., Azure, AWS, Google Cloud).
• Investigates cloud‑native logs:
  Azure Activity Logs, AWS Cloud Trail, GCP Audit Logs, identity events, network flows, and storage access.
• Evaluates cloud security posture, identifying misconfigurations, risky access patterns, and drift.
• Assists in development of cloud detection logic using native tooling (e.g., Azure Sentinel/Microsoft Defender XDR, AWS Guard Duty, GCP SCC).

• Maintains and enhances SOC tooling, dashboards, and automation workflows…