Cybersecurity Incident Response Lead

Cybersecurity Incident Response Lead

This position requires an active Public Trust clearance to be considered.

A government contract requires that this position be restricted to U.S. citizens or legal permanent residents. You must provide documentation that you are a U.S. citizen or legal permanent resident to qualify.

The Incident Response (IR) Team Lead will own cyber incident preparedness, detection, triage, containment, eradication, and recovery across mission-critical environments. This role leads a multidisciplinary incident response function and partners closely with SOC, threat intelligence, forensics, legal, and business stakeholders to protect operations and reduce cyber risk.

Compensation & Benefits:

Estimated Starting Salary Range for Cybersecurity Incident Response Lead: [Enter$]

Pay commensurate with experience.

Full time benefits include Medical, Dental, Vision, 401K, and other possible benefits as provided. Benefits are subject to change with or without notice.

Cybersecurity Incident Response Lead Responsibilities Include:

• Lead end-to-end incident response operations, ensuring rapid triage, containment, remediation, and recovery.
• Direct and mentor IR analysts; manage on-call rotations and surge response support.
• Develop, maintain, and standardize IR playbooks, procedures, and escalation workflows.
• Coordinate cross-functional incident bridges; provide timely executive and customer briefings, including daily IR status updates.
• Oversee digital forensics and evidence handling, ensuring chain of custody and investigative integrity.
• Drive proactive threat hunting aligned to current threat actor TTPs and integrate intelligence into detections and response plans.
• Partner with SOC leadership on detection engineering, alert tuning, and use-case development.

• Active participation in meetings, reviews agendas, coordinates with contractors and staff to ensure cooperation and task implementation, reviews and validates security artifacts to ensure that they are sufficient in preparing the customer to address known security operations and security engineering requirements.

• Provide daily incident response briefing to the customer.

• Support the security review of IT systems and architecture as well as Cybersecurity policy development on IT service use, access, refresh, and configuration control, etc.

• Conduct post-incident reviews documenting root cause, impact, corrective actions, and preventive controls.
• Track and report IR metrics (e.g., MTTD, MTTR, containment time, recurrence).
• Ensure compliance with regulatory and contractual requirements (FISMA, FedRAMP, DFARS/CMMC, as applicable).

• Coordinate third party engagements (forensics, breach counsel, PR) when needed.

• Lead tabletop exercises, readiness drills, phishing simulations, and after-action reporting.

• Conduct phishing exercises; Plan, using relevant, real-world examples (e.g., HR updates, IT alerts, new vendor invoices). Execute and monitor, track and analyze, and conduct after action reports.

• Support security architecture reviews, cybersecurity policy development, and system risk assessments.
• Guide selection and optimization of IR technologies, including EDR/XDR, SIEM/SOAR, NDR, threat intelligence, and forensics tools.
• Performs other job-related duties as assigned

Cybersecurity Incident Response Lead Experience, Education, Skills, Abilities requested:

• 7+ years of cybersecurity experience, including 4+ years in incident response or SOC leadership.
• Proven leadership of complex incidents (ransomware, BEC, data exfiltration, insider threats, supply chain compromise).
• Strong knowledge of IR frameworks, digital forensics, malware analysis fundamentals, and MITRE ATT&CK.
• Hands-on experience with EDR/XDR, SIEM/SOAR, and forensic tools.
• Excellent crisis communication and executive briefing skills.
• Experience operating in regulated environments and handling sensitive data.
• Certifications such as GCIH, GCIA, GCFA, GNFA, GDAT, CISSP, CCSP, or CEH preferred.
• Experience in federal, defense, critical infrastructure, or healthcare environments.
• Familiarity with NIST 800-61, NIST CSF, and CISA guidance preferred.
• Experience with automation and scripting (Python, PowerShell), threat hunting, or detection engineering preferred.
• Must pass pre-employment qualifications of Cherokee Federal

Company Information:

Criterion is a part of Cherokee Federal - the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government's mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com.

#CherokeeFederal #LI #LI-REMOTE

#LI-RA1

Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

Similar searchable job titles:

• Incident Response Manager

• Cyber Incident Response Lead

• SOC Incident Response Manager

• Cybersecurity Incident Manager

• Digital Forensics & Incident Response (DFIR) Lead

Keywords:

• Incident Response

• Cybersecurity

• Threat Hunting

• Forensics

• Crisis Management

Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law.

Many of our job openings require access to government buildings or military installations.

Please Note: This position is pending a contract award. If you are interested in a future with Cherokee Federal, APPLY TODAY! Although this is not an approved position, we are accepting applications for this future and anticipated need.