Cybersecurity Incident Response Lead

Cybersecurity Incident Response Lead

This position requires an active Public Trust clearance to be considered.

A government contract requires that this position be restricted to U.S. citizens or legal permanent residents. You must provide documentation that you are a U.S. citizen or legal permanent resident to qualify.

The Incident Response (IR) Team Lead will own cyber incident preparedness, detection, triage, containment, eradication, and recovery across mission-critical environments. This role leads a multidisciplinary incident response function and partners closely with SOC, threat intelligence, forensics, legal, and business stakeholders to protect operations and reduce cyber risk.

Estimated Starting Salary Range for Cybersecurity Incident Response Lead: [Enter$]

Pay commensurate with experience.

Full time benefits include Medical, Dental, Vision, 401K, and other possible benefits as provided. Benefits are subject to change with or without notice.

• Lead end-to-end incident response operations, ensuring rapid triage, containment, remediation, and recovery.
• Direct and mentor IR analysts; manage on-call rotations and surge response support.
• Develop, maintain, and standardize IR playbooks, procedures, and escalation workflows.
• Coordinate cross-functional incident bridges; provide timely executive and customer briefings, including daily IR status updates.
• Oversee digital forensics and evidence handling, ensuring chain of custody and investigative integrity.
• Drive proactive threat hunting aligned to current threat actor TTPs and integrate intelligence into detections and response plans.
• Partner with SOC leadership on detection engineering, alert tuning, and use-case development.
• Active participation in meetings, review agendas, coordinate with contractors and staff to ensure cooperation and task implementation, review and validate security artifacts to ensure that they are sufficient in preparing the customer to address known security operations and security engineering requirements.
• Provide daily incident response briefing to the customer.
• Support the security review of IT systems and architecture as well as Cybersecurity policy development on IT service use, access, refresh, and configuration control, etc.
• Conduct post-incident reviews documenting root cause, impact, corrective actions, and preventive controls.
• Track and report IR metrics (e.g., MTTD, MTTR, containment time, recurrence).
• Ensure compliance with regulatory and contractual requirements (FISMA, FedRAMP, DFARS/CMMC, as applicable).
• Coordinate third-party engagements (forensics, breach counsel, PR) when needed.
• Lead tabletop exercises, readiness drills, phishing simulations, and after-action reporting.
• Conduct phishing exercises;
  Plan, using relevant, real-world examples (e.g., HR updates, IT alerts, new vendor invoices). Execute and monitor, track and analyze, and conduct after action reports.
• Support security architecture reviews, cybersecurity policy development, and system risk assessments.
• Guide selection and optimization of IR technologies, including EDR/XDR, SIEM/SOAR, NDR, threat intelligence, and forensic tools.
• Performs other job-related duties as assigned.

• 7+ years of cybersecurity experience, including 4+ years in incident response or SOC leadership.
• Proven leadership of complex incidents (ransomware, BEC, data exfiltration, insider threats, supply chain compromise).
• Strong knowledge of IR frameworks, digital forensics, malware analysis fundamentals, and MITRE ATT&CK.
• Hands-on experience with EDR/XDR, SIEM/SOAR, and forensic tools.
• Excellent crisis communication and executive briefing skills.
• Experience operating in regulated environments and handling sensitive data.
• Certifications such as GCIH, GCIA, GCFA, GNFA, GDAT, CISSP, CCSP, or CEH preferred.
• Experience in federal, defense, critical infrastructure, or healthcare environments.
• Familiarity with NIST 800-61, NIST CSF, and CISA guidance preferred.
• Experience with automation and scripting (Python, Power Shell), threat hunting, or…