Senior Incident Response Analyst

About the Role

Coalition Incident Response (CIR) UK is hiring a Senior DFIR Analyst to lead digital forensics and incident response investigations for policyholders facing active cyber incidents. In this role, you will investigate threats such as business email compromise, ransomware, data theft, and web compromise, helping organizations move from uncertainty to clear, defensible next steps. You will work closely with the UK IR Lead and cross‑functional partners across Claims, MDR, security engineering, and external counsel to deliver high‑quality incident response in the UK and across Coalition's global coverage model.

• Lead digital forensics and incident response investigations from initial scoping through recovery, reporting, and case closure.
• Analyze cloud, email, endpoint, network, and web artifacts to reconstruct attacker activity and determine scope and impact.
• Produce clear forensic reports and present findings to insureds, counsel, brokers, and internal stakeholders.
• Coordinate response efforts with cross‑functional partners, including CIR, Claims, MDR, security engineering, and external vendors.
• Improve CIR UK playbooks, operating procedures, and proactive services such as tabletop exercises.
• Support follow‑the‑sun response coverage by contributing to North American and Australian cases during UK business hours.

• You have substantial hands‑on DFIR experience and can independently lead investigations with sound judgment and clear ownership.
• You bring strong Windows and Linux forensics skills, with the ability to collect, analyze, and explain evidence in a defensible way.
• You have deep experience investigating Microsoft 365, email compromise, and cloud‑based attack activity.
• You can analyze logs and telemetry across networks, perimeter technologies, EDR platforms, and other security tools to build accurate incident timelines.
• You are comfortable communicating with both technical and non‑technical audiences, including presenting findings and recommendations clearly under pressure.
• You work effectively across teams and know how to partner with internal stakeholders, external counsel, vendors, and customers during fast‑moving incidents.
• You can balance investigative depth with practical business needs, helping organizations make informed decisions during high‑stress situations.
• You are motivated by building repeatable processes, sharing lessons learned, and improving how incident response is delivered over time.

• Experience with macOS forensics.
• Experience with website forensics, especially Word Press or similar platforms.
• Familiarity with forensic investigations in AWS, Google Cloud, or other major cloud environments.
• Understanding of UK privacy or regulatory considerations and how they affect incident response decision‑making.
• Experience with scripting or automation to improve forensic workflows and operational efficiency.

• 100% medical coverage, including outpatient care
• Life insurance
• 25+ paid holidays
• Annual home office stipend
• 7% employer pension contribution
• Mental and physical health wellness programmes like Headspace, Wellhub
• Competitive compensation and opportunity for advancement

Coalition is proud to be an Equal Opportunity employer. Our policy is to provide equal employment opportunities to all individuals, without discrimination or harassment on the basis of any characteristic protected by applicable laws in each country where we operate. This commitment includes, but is not limited to, ensuring equal treatment in recruitment, selection, training, promotion, transfer, compensation, and all other aspects of employment.

Coalition does not tolerate discrimination or harassment of any kind, and we are dedicated to fostering an inclusive and supportive workplace.