Cyber Defense Incident Responder (Advanced)

Summary

The Cyber Defense Incident Responder (Advanced) performs hands-on technical work while guiding and directing senior and mid-level analysts. This role involves advanced threat detection, threat intelligence research, practical application of threat intelligence to operations, development of custom scripts, and a working understanding of complex threat actor techniques used to compromise systems and evade detection. The ideal candidate brings extensive operational experience defending highly secure enclaves, specifically navigating Top Secret/Sensitive Compartmented Information (TS/SCI) and Special Access Program (SAP) networks.

Work Location

In Office. Arlington, VA.

Duties and Responsibilities

• Lead a small team of advanced and mid-level security analysts to provide Incident Defense (ID) services for government clients, specifically tailored to the unique security constraints of TS/SCI and SAP environments.


• Serve as the primary technical point of contact for complex threat hunting issues, and mentor new ID team members to grow their skills and operational abilities.


• Engineer advanced detection alerting rules for events reported by endpoints, cloud services, network devices, and other relevant event sources across classified enclaves, using Splunk SPL, Microsoft Kusto Query Language (KQL), Elastic Kibana Query Language, Carbon Black, Snort rules, or other pattern-matching detection tools.


• Proactively research new malware using hunting capabilities on malware repository services (such as VirusTotal) and through established partnerships with other security researchers, ensuring all malware handling adheres to strict classified network protocols.


• Lead targeted phishing campaigns to help educate the workforce on the risks of social engineering and malicious attachments.


• Lead purple and red teaming efforts as directed, conducting adversary emulation relevant to the architecture of highly classified networks.


• Provide critical support to the Network Operations and Security Center (NOSC) and coordinate team schedules to ensure on-call coverage for after-hours, weekends, and holidays.


• Maintain the toolkit utilized by the ID Team; conduct research analysis on the latest cybersecurity tools, provide rationale to renew or deprecate current tools, and recommend new technologies for the enterprise.


• Perform comprehensive research and investigations with little to no oversight to locate information relevant to government requests, communicating findings effectively to government information security professionals.


• Ensure all written communication (reports, briefings, and alerts) is professional, high-quality, free of errors, and clearly delivers actionable intelligence.


• Perform other duties as assigned.

Minimum Qualifications

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.

• High school diploma or GED equivalent required.


• Bachelor's degree in Computer Science, Digital Forensics, or a related major with an emphasis on Security preferred.


• Six (6) or more years of experience in Threat Hunting, Security Research, or Incident Response.


• Demonstrated leadership skills, preferably in a formal leadership role.


• Demonstrated scripting experience.


• Active TS/SCI clearance required.

Preferred Qualifications

• SAP (Special Access Program) access eligibility or prior SAP-network operational experience.


• Relevant industry certifications (e.g., GCIH, GCFA, GCIA, GREM, GDAT, CySA+, or equivalent).


• Ability to successfully pass background and drug screening.

Knowledge, Skills, and Abilities

• Advanced technical expertise in threat hunting, deep-dive malware analysis, and the operational application of threat intelligence within highly classified (TS/SCI and SAP) network enclaves.


• Demonstrated leadership and industry contribution, recognized as a subject matter expert within the defense or broader information security community for advancing incident response methodologies.


• Proven track record of excellence in guiding, mentoring, and directing mid-level and senior information security professionals during active cyber operations and crisis response.


• Government/client service experience as a primary technical liaison, providing Incident Defense (ID) and threat resolution services directly to government stakeholders and technical clients.


• Security engineering and architecture: knowledge of planning, designing, and implementing robust security controls, detection rules, and defensive systems tailored to secure network architectures.


• Adversary emulation: skill in executing red team or purple team simulations to test and validate defensive postures against Advanced Persistent Threats (APTs).


• Technical mentorship: experience teaching, mentoring, and guiding junior and mid-level analysts in advanced digital forensics and malware analysis techniques.


• Advanced forensics: deep technical understanding of host and network-based forensic analysis techniques, with the ability to accurately interpret complex artifacts and maintain data integrity during investigations.


• Malware and script analysis: high-level skill in reverse-engineering and analyzing obfuscated, malicious scripts (e.g., PowerShell, VBA, JavaScript, .NET) used by sophisticated threat actors.


• Superior research capabilities: exceptional technical analysis and research skills, capable of proactively identifying novel threats and vulnerabilities.


• Executive communication: excellent written and verbal communication skills, capable of producing high-quality, error-free incident reports and briefings suitable for government leadership.


• Technical translation: ability to clearly explain complex cybersecurity incidents, TTPs, and risks to both technical peers and non-technical decision-makers.


• Project and case management: proven ability to independently manage multiple complex incident investigations or research projects simultaneously, with high accountability, initiative, and integrity.


• Crisis management: ability to take ownership during high-stress cyber incidents, rapidly set triage priorities, multitask effectively, and meet tight government reporting deadlines.


• Collaboration: well-developed problem-solving and interpersonal skills to facilitate seamless coordination with NOSCs, intelligence teams, and external partners.


• Attention to detail: excellent organizational skills with acute attention to detail, critical for maintaining chain-of-custody, accurate incident logging, and operating within strict SAP compliance frameworks.

Physical Demands

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

While performing the duties of this job, the employee is regularly required to sit and talk or hear, and may use repeated motions involving the arms, wrists, hands, and fingers. The employee is occasionally required to walk, stand, climb, balance, stoop, kneel, crouch, or crawl, and must occasionally lift and/or move up to 25 pounds. Specific vision abilities required include close vision.

Work Environment

The employee normally works in a temperature-controlled office environment with frequent exposure to electronic office equipment. During visits to areas of operations, the employee may be exposed to extreme cold or hot weather conditions and is occasionally exposed to fumes or airborne particles, toxic or caustic chemicals, and loud noise.

Equal Opportunity

S2i2, Inc. is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or protected veteran status. S2i2 participates in the E-Verify Employment Verification Program.