Lead - Cyber - Incident Commander

We're seeking a dynamic Cyber Incident Commander (Lead) to join our team at Neurealm.

As an Incident Commander (Lead), you will direct the tactical, hands-on response to active cyber threats. You will be crucial to executing our firm's incident playbooks, orchestrating technical triage across the SOC and engineering teams, and mitigating live attacks. You will ensure our information assets are aggressively defended and recovered rapidly during high-stress cyber events.

If you are passionate about threat hunting, have deep hands-on experience with modern security tooling, and are ready to lead tactical security responses for a growing company, we welcome you to join our team. We offer competitive compensation, a collaborative work environment, and opportunities for professional growth in the field of cybersecurity.

Experience: 10-14 Yrs

Objectives of the role:

• Leading the tactical execution of incident response procedures during active cyberattacks and data breaches.
• Directing shifts of SOC analysts, threat hunters, and forensics engineers to isolate and eradicate threats.
• Executing rapid technical triage, malware analysis, and endpoint isolation to minimize the blast radius of an attack.
• Overseeing the seamless handoff of technical intelligence from the SOC to the Infrastructure/Recovery teams.
• Ensuring strict adherence to technical playbooks, Chain of Custody, and forensic preservation guidelines.
• Collaborating with cross-functional IT and Network teams to enforce immediate compensating controls (e.g., firewall blocks, IAM revocations).
• Conducting technical tabletop exercises and attack simulations to train L1/L2 SOC analysts.

Your tasks:

• Act as the primary technical Lead in the War Room during active security incidents.
• Perform real-time log analysis, threat hunting, and forensics tracking across SIEM, EDR, and Cloud telemetry.
• Direct the isolation of compromised endpoints and cloud tenants without destroying volatile forensic evidence (RAM/Snapshots).
• Implement immediate containment strategies (e.g., executing network micro-segmentation, triggering automated SOAR playbooks).
• Ensure all security patches, updates, and emergency firewall rules are promptly applied during containment phases.
• Document granular timelines of threat actor lateral movement, persistence mechanisms, and exfiltration paths.
• Draft technical Root Cause Analysis (RCA) reports and contribute technical findings to the executive After-Action Report (AAR).
• Handle vulnerability testing, penetration tests, and validation of environments before they are brought back online post-breach.
• Ensure technical containment steps do not violate company compliance with data protection regulations, including GDPR and HIPAA.
• Continuously fine-tune SIEM/SOAR detection logic based on lessons learned from recent incidents.

Required skills and qualifications:

• Bachelor's degree in Computer Science, Information Security, or a related field.
• Demonstrable experience as a Senior Incident Responder, SOC Lead, or similar role with 10-14 years in cybersecurity operations.
• Extensive knowledge of the NIST Incident Response framework and MITRE ATT&CK matrix.
• Hands-on experience in technical incident management, forensic artifact collection, and disaster recovery execution.
• Deep proficiency in security technologies and tools, including SIEM (Splunk, Sentinel), EDR (CrowdStrike, Defender), and Network Traffic Analysis.
• Experience in cloud security incident response within platforms like AWS, Azure, or Google Cloud.
• Strong understanding of standard data privacy regulations (GDPR, HIPAA) and how they impact forensic data handling.
• Hands-on experience with malware analysis, reverse engineering, and deep-dive network forensics.
• Strong leadership skills, with experience technically directing L1/L2/L3 security analysts during high-pressure outages.
• Solid analytical and problem-solving skills, with the ability to rapidly identify IoCs (Indicators of Compromise).
• Excellent communication skills, with the ability to clearly coordinate technical actions across IT, Server, and Network teams.

Preferred skills and qualifications:

• Relevant technical certifications in incident response, such as GCIH, GCFA, OSCP, or CEH.
• Advanced scripting skills (Python, PowerShell, KQL) for rapid log parsing and SOAR automation.
• Experience with DevSecOps and integrating security response within CI/CD pipelines.
• Familiarity with Zero Trust Architecture and investigating identity-based attacks.
• Expertise in cloud-native forensics and securing serverless/containerized environments (Kubernetes/Docker).
• Contributions to open-source security tools or active participation in the threat intelligence community.