SOC​/Incident Report Engineer

SOC/Incident Report Engineer

Benesch is proud to announce the opening for a SOC/Incident Report Engineer in our Chicago office. This position is hybrid and offers work-from-home flexibility.

Are you excited about detecting and resolving cybersecurity threats and incidents? Do you find it a challenge to help an organization reduce threats and enhance their security? Does working with teams to develop strategies to improve detection capabilities interest you? This role is perfect for someone looking to play a crucial role in Benesch's security initiatives.

• Monitors SIEM, EDR, NDR, and cloud-native security tools to identify suspicious activity and potential security incidents.
• Creates, tunes, and optimizes detection rules, correlation logic, and analytic use cases.
• Conducts threat hunting based on emerging TTPs, threat intel, and anomaly patterns.
• Maintains and improves alerting fidelity to reduce false positives and enhance detection precision.

• Performs initial triage of security alerts to assess severity, impact, and required response actions.
• Leads full incident lifecycle activities including investigation, containment, eradication, recovery, and post‑incident analysis.
• Coordinates with IT, cloud, and business teams to execute IR playbooks and minimize operational impact.
• Documents incidents, findings, and lessons learned; contributes to after‑action reviews.

• Conducts forensic acquisition and analysis of endpoints, servers, cloud resources, and network artifacts (disk, memory, logs).
• Examines artifacts such as registry hives, event logs, file systems, network captures, browser history, and persistence mechanisms.
• Performs malware triage (dynamic and static) to determine malware behavior, indicators of compromise, and propagation mechanisms.
• Maintains chain‑of‑custody processes and ensures forensic data integrity for potential legal or compliance requirements.

• Monitors and responds to security events within cloud environments (e.g., Azure, AWS, Google Cloud).
• Investigates cloud‑native logs:
  Azure Activity Logs, AWS Cloud Trail, GCP Audit Logs, identity events, network flows, and storage access.
• Evaluates cloud security posture, identifying misconfigurations, risky access patterns, and drift.
• Assists in development of cloud detection logic using native tooling (e.g., Azure Sentinel/Microsoft Defender XDR, AWS Guard Duty, GCP SCC).

• Maintains and enhances SOC tooling, dashboards, and automation workflows (SOAR).
• Builds automated playbooks to speed up triage, enrichment, and response.
• Integrates new data sources and improves log ingestion pipelines for SIEM/EDR.

• Utilizes internal and external threat intelligence to contextualize alerts and strengthen detections.
• Tracks adversary TTPs based on frameworks such as MITRE ATT&CK.
• Researches emerging threats, vulnerabilities, and malware families.

• Partners with governance, engineering, and IT teams to ensure effective remediation and long‑term control improvements.
• Supports audit, compliance, and regulatory requirements related to incident management.
• Prepares clear, concise technical and executive‑level reports.

• Analytical mindset with strong problem‑solving skills.
• Ability to work under pressure during active incidents.
• Excellent written and verbal communication skills.
• Strong attention to detail and a commitment to continuous improvement.

The SOC/Incident Response (IR) Engineer should have 3–7 years of experience in a Security Operations Center (SOC), incident response, digital forensics, or a closely related cybersecurity discipline. A strong technical foundation in networking, operating system internals across Windows, Linux, and macOS, identity systems, and modern cloud architectures is essential. The role requires hands‑on experience with leading security technologies, including SIEM platforms such as Microsoft Sentinel or Splunk, endpoint detection and response (EDR) and antivirus tools…