Cyber Incident Response Team (CIRT) Lead

We are seeking a highly skilled and innovative Cyber Incident Response Team (CIRT) Lead to join our team in the greater DMV area, supporting the Army National Guard.

Responsibilities

• Lead enterprise incident response operations: triage, containment, eradication, recovery, and post‑incident activities for high‑severity cybersecurity events across all enclaves.
• Develop, maintain, and exercise incident response playbooks, escalation workflows, investigative procedures, and evidence‑handling protocols aligned with DoD, Army, and NIST guidance.
• Oversee advanced investigations: coordinate log analysis, packet capture/inspection, forensic collection, malware analysis, and adversary behavior mapping to identify root causes and operational impacts.
• Integrate threat intelligence, hunt findings, and vulnerability data into response processes to inform real‑time decisions and remediation priorities.
• Coordinate enterprise response actions with SOC, RCC‑ARNG, NETCOM, ARCYBER, engineering, and mission stakeholders to enable rapid containment and remediation.
• Manage deployment and optimization of incident response tooling (forensics, EDR, SOAR, packet analysis) and ensure readiness of CIRT capabilities.
• Produce incident reports, after‑action reviews, timelines, and executive briefings documenting actions, impacts, and recommended defensive improvements.
• Identify detection gaps, configuration weaknesses, and architectural vulnerabilities uncovered during incidents and drive corrective action planning and validation.
• Lead readiness activities: tabletop exercises, red/blue/purple team engagements, training, and continuous improvement of response processes and metrics.

#ENOCS

Qualifications

• Minimum of 8 years with BS/BA; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD

• Clearance: Active TS/SCI clearance.

• Candidate must meet ONE of the following:

  • Master’s degree or Ph.D. in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, Software Engineering, or a related field; OR
  • Relevant DoD/military training (examples: 4‑11‑C32‑255S (CP), 4C‑255N (CP), 4C‑255A (CP)); OR
  • Relevant professional certification or equivalent experience (examples: CFR, CySA+, GCFA, GCIA, GICSP).

• Required experience and skills:

  • Incident response, digital forensics, or advanced cyber operations experience with at least 3 years leading CIRT or SOC incident response teams in enterprise or DoD environments.
  • Deep expertise in forensic collection/analysis, packet/IP traffic analysis, EDR/XDR tooling, log forensics, and malware/IOC analysis.
  • Proven ability to coordinate multi‑stakeholder responses at scale and produce decision‑grade incident reports and executive briefings.
  • Strong knowledge of RMF/ATO evidence requirements, chain‑of‑custody, legal/privilege considerations, and DoD incident reporting channels.
  • Experience implementing and tuning SOAR playbooks, detection validations, and remediation verification processes.

• Desired:

  • Prior experience coordinating incidents with ARCYBER, NETCOM, DISA, or RCC‑ARNG and familiarity with multi‑domain (NIPR/SIPR/cloud) response complexities.
  • Track record running cross‑domain exercises, purple teams, and continuous improvement programs that measurably improve MTTD/MTTR and detection fidelity.

#ENOCS