Staff Incident Response Analyst
alphasense • Remote - India
No Relocation
Posted: May 21, 2026
Job Description
About the Role:
We are hiring a Staff Incident Response Analyst to serve as the technical escalation point for our L2 SOC analysts and 24/7 managed detection and response (MDR) partner. When a case exceeds what an L2 can handle — complex forensics, multi-system intrusions, ambiguous attacker behavior, or high-stakes containment decisions — it lands with you. You are the last line of technical defense before the Security Operations Manager is pulled in.
This is a deeply hands-on role. You will spend the majority of your time in tooling: hunting through the SIEM, pulling host artifacts via EDR remote access, tracing IAM chains in cloud audit logs, and reconstructing attacker timelines from raw evidence. You are expected to know what you are looking at without being told, and to be faster and more thorough than the analysts escalating to you.
Core Responsibilities:
Escalation Handling & Incident Leadership
- Receive and own L2 escalations across all severity levels; take over technical lead role on Sev2+
- Scope incidents accurately and quickly: determine blast radius, affected assets, and attacker objectives from available telemetry
- Make and document containment decisions — endpoint isolation, account suspension, token revocation, network block — with clear rationale
- Maintain a forensically sound incident timeline: ordered evidence, source attribution, and chain-of-custody throughout
- Communicate incident status to the Security Operations Manager with enough fidelity to brief upward without needing to re-investigate
- Drive incidents to documented closure: root cause, attacker path, affected assets, and defensive gaps identified
Host & Endpoint Forensics
- Perform deep-dive endpoint triage via EDR: process tree analysis, remote artifact collection, behavioral event review, and custom detection rule evaluation
- Reconstruct attacker activity from Windows forensic artifacts: Prefetch, Shimcache, Amcache, MFT, $USNJrnl, event logs (4624, 4688, 4698, 7045), and registry hives
- Analyze Linux host artifacts: bash history, cron jobs, /tmp and /var/log contents, SUID binaries, and persistence mechanisms
- Perform memory forensics when warranted: process injection, credential extraction artifacts, and in-memory malware indicators
- Extract and analyze malware samples statically and dynamically: PE header review, strings, YARA matching, and sandbox detonation interpretation
Cloud Incident Response — AWS & GCP
- Lead AWS-based IR: CloudTrail forensics, IAM chain reconstruction, EC2 isolation, S3 access pattern analysis, Lambda execution review
- Identify and respond to IMDS credential abuse, assumed-role lateral movement, and cross-account privilege escalation
- Investigate container and serverless incidents: ECS task behavior, Lambda invocation logs, and abnormal API call sequences
- Correlate VPC Flow Logs, native threat detection findings, and S3 access logs against SIEM events to build a complete cloud-side timeline
- Handle GCP incidents using Cloud Audit Logs, Cloud Logging, and IAM policy review in a multi-cloud context
- Use cloud security posture management (CSPM) findings and runtime data as investigative context during active incidents
Identity & SaaS Forensics
- Investigate identity provider incidents: admin audit log review, session anomaly analysis, suspicious app assignments, MFA bypass patterns, and provisioning events
- Perform customer identity and access management (CIAM) forensics: authentication log analysis, abnormal grant flows, token misuse, and tenant-level anomaly investigation
- Reconstruct identity-based attack chains across the IdP, cloud IAM, and application layers — from initial credential compromise through lateral movement
- Identify and respond to OAuth abuse, token theft, session hijacking, and federated identity attacks
Threat Hunting & Detection Contribution
- Conduct structured threat hunts in the SIEM using detection rule logic, event correlation queries, and multi-source pivoting
- Hunt for attacker behavior that existing detections miss: living-off-the-land techniques, LOLBins, slow-and-low persistence, and C2 beaconing patterns
- Translate hunt findings and post-incident learnings into specific detection recommendations or rule drafts for the Security Operations Manager
- Contribute to ATT&CK coverage visibility by flagging technique gaps surfaced during investigations or hunts
L2 Escalation Support & Quality
- Take escalation handoffs from L2 analysts and the MDR partner; provide technical direction when an analyst is stuck, not just take the case
- Review escalation packages for completeness and accuracy — push back when context is insufficient and coach on what’s missing
- Identify recurring escalation patterns and flag them to the Security Operations Manager as potential L2 training gaps or detection tuning needs
- Document investigation methodology on closed cases in enough detail that an L2 analyst can learn from the approach
Required Qualifications:
- 6+ years of hands-on incident response experience, with at least 3 years performing technical IR at a senior or staff level
- Expert-level EDR proficiency (e.g., CrowdStrike Falcon, SentinelOne, or equivalent): remote triage, process tree analysis, behavioral detections, and custom detection rule authorship
- Deep AWS IR capability: CloudTrail forensics, IAM chain analysis, EC2 and Lambda investigation, and IMDS/assumed-role abuse patterns
- Strong Windows forensics: ability to reconstruct attacker activity from Prefetch, MFT, Shimcache, event logs, and registry artifacts without tooling assistance
- Solid Linux forensics: persistence mechanisms, cron, SUID analysis, process anomalies, and log artifact interpretation
- Hands-on SIEM investigation and detection experience (e.g., Google SecOps/Chronicle, Splunk, Microsoft Sentinel): writing detection logic, pivoting on normalized events, and multi-event correlation
- Identity incident response experience in an enterprise IdP (e.g., Okta, Entra ID): audit log forensics, session analysis, app-layer anomalies, and admin abuse patterns
- Demonstrated ability to scope and lead Sev1 incidents autonomously, including containment decisions and cross-functional coordination
- Strong technical writing: you produce investigation timelines, evidence summaries, and escalation handoffs that are accurate, concise, and unambiguous
- MITRE ATT&CK fluency: you use it to communicate attacker behavior, not just as a reference
Preferred Qualifications:
- Memory forensics experience using Volatility or equivalent: process injection, credential material in memory, and rootkit indicators
- Malware analysis capability: static analysis (PE headers, strings, imports), dynamic sandbox review, and YARA rule authorship
- GCP IR experience using Cloud Audit Logs, VPC Flow Logs, and IAM policy analysis in a live incident context
- CIAM forensics experience (e.g., Auth0, Cognito): authentication logs, abnormal grant flows, and token misuse investigation
- Experience receiving and evaluating escalations from an MSSP/MDR, including identifying under-triaged or misrouted tickets
- Familiarity with CSPM tooling (e.g., Wiz, Prisma Cloud, Orca) as an investigative data source during cloud incidents
- DFIR certifications: GCFE, GCFA, GCFR, GREM, GCIH, or equivalent practical forensics credentials
- Prior experience in a SaaS company, financial services, or other regulated environment handling sensitive customer data
Additional Content
About the Role:
We are hiring a Staff Incident Response Analyst to serve as the technical escalation point for our L2 SOC analysts and 24/7 managed detection and response (MDR) partner. When a case exceeds what an L2 can handle — complex forensics, multi-system intrusions, ambiguous attacker behavior, or high-stakes containment decisions — it lands with you. You are the last line of technical defense before the Security Operations Manager is pulled in.
This is a deeply hands-on role. You will spend the majority of your time in tooling: hunting through the SIEM, pulling host artifacts via EDR remote access, tracing IAM chains in cloud audit logs, and reconstructing attacker timelines from raw evidence. You are expected to know what you are looking at without being told, and to be faster and more thorough than the analysts escalating to you.
Core Responsibilities:
Escalation Handling & Incident Leadership
- Receive and own L2 escalations across all severity levels; take over technical lead role on Sev2+
- Scope incidents accurately and quickly: determine blast radius, affected assets, and attacker objectives from available telemetry
- Make and document containment decisions — endpoint isolation, account suspension, token revocation, network block — with clear rationale
- Maintain a forensically sound incident timeline: ordered evidence, source attribution, and chain-of-custody throughout
- Communicate incident status to the Security Operations Manager with enough fidelity to brief upward without needing to re-investigate
- Drive incidents to documented closure: root cause, attacker path, affected assets, and defensive gaps identified
Host & Endpoint Forensics
- Perform deep-dive endpoint triage via EDR: process tree analysis, remote artifact collection, behavioral event review, and custom detection rule evaluation
- Reconstruct attacker activity from Windows forensic artifacts: Prefetch, Shimcache, Amcache, MFT, $USNJrnl, event logs (4624, 4688, 4698, 7045), and registry hives
- Analyze Linux host artifacts: bash history, cron jobs, /tmp and /var/log contents, SUID binaries, and persistence mechanisms
- Perform memory forensics when warranted: process injection, credential extraction artifacts, and in-memory malware indicators
- Extract and analyze malware samples statically and dynamically: PE header review, strings, YARA matching, and sandbox detonation interpretation
Cloud Incident Response — AWS & GCP
- Lead AWS-based IR: CloudTrail forensics, IAM chain reconstruction, EC2 isolation, S3 access pattern analysis, Lambda execution review
- Identify and respond to IMDS credential abuse, assumed-role lateral movement, and cross-account privilege escalation
- Investigate container and serverless incidents: ECS task behavior, Lambda invocation logs, and abnormal API call sequences
- Correlate VPC Flow Logs, native threat detection findings, and S3 access logs against SIEM events to build a complete cloud-side timeline
- Handle GCP incidents using Cloud Audit Logs, Cloud Logging, and IAM policy review in a multi-cloud context
- Use cloud security posture management (CSPM) findings and runtime data as investigative context during active incidents
Identity & SaaS Forensics
- Investigate identity provider incidents: admin audit log review, session anomaly analysis, suspicious app assignments, MFA bypass patterns, and provisioning events
- Perform customer identity and access management (CIAM) forensics: authentication log analysis, abnormal grant flows, token misuse, and tenant-level anomaly investigation
- Reconstruct identity-based attack chains across the IdP, cloud IAM, and application layers — from initial credential compromise through lateral movement
- Identify and respond to OAuth abuse, token theft, session hijacking, and federated identity attacks
Threat Hunting & Detection Contribution
- Conduct structured threat hunts in the SIEM using detection rule logic, event correlation queries, and multi-source pivoting
- Hunt for attacker behavior that existing detections miss: living-off-the-land techniques, LOLBins, slow-and-low persistence, and C2 beaconing patterns
- Translate hunt findings and post-incident learnings into specific detection recommendations or rule drafts for the Security Operations Manager
- Contribute to ATT&CK coverage visibility by flagging technique gaps surfaced during investigations or hunts
L2 Escalation Support & Quality
- Take escalation handoffs from L2 analysts and the MDR partner; provide technical direction when an analyst is stuck, not just take the case
- Review escalation packages for completeness and accuracy — push back when context is insufficient and coach on what’s missing
- Identify recurring escalation patterns and flag them to the Security Operations Manager as potential L2 training gaps or detection tuning needs
- Document investigation methodology on closed cases in enough detail that an L2 analyst can learn from the approach
Required Qualifications:
- 6+ years of hands-on incident response experience, with at least 3 years performing technical IR at a senior or staff level
- Expert-level EDR proficiency (e.g., CrowdStrike Falcon, SentinelOne, or equivalent): remote triage, process tree analysis, behavioral detections, and custom detection rule authorship
- Deep AWS IR capability: CloudTrail forensics, IAM chain analysis, EC2 and Lambda investigation, and IMDS/assumed-role abuse patterns
- Strong Windows forensics: ability to reconstruct attacker activity from Prefetch, MFT, Shimcache, event logs, and registry artifacts without tooling assistance
- Solid Linux forensics: persistence mechanisms, cron, SUID analysis, process anomalies, and log artifact interpretation
- Hands-on SIEM investigation and detection experience (e.g., Google SecOps/Chronicle, Splunk, Microsoft Sentinel): writing detection logic, pivoting on normalized events, and multi-event correlation
- Identity incident response experience in an enterprise IdP (e.g., Okta, Entra ID): audit log forensics, session analysis, app-layer anomalies, and admin abuse patterns
- Demonstrated ability to scope and lead Sev1 incidents autonomously, including containment decisions and cross-functional coordination
- Strong technical writing: you produce investigation timelines, evidence summaries, and escalation handoffs that are accurate, concise, and unambiguous
- MITRE ATT&CK fluency: you use it to communicate attacker behavior, not just as a reference
Preferred Qualifications:
- Memory forensics experience using Volatility or equivalent: process injection, credential material in memory, and rootkit indicators
- Malware analysis capability: static analysis (PE headers, strings, imports), dynamic sandbox review, and YARA rule authorship
- GCP IR experience using Cloud Audit Logs, VPC Flow Logs, and IAM policy analysis in a live incident context
- CIAM forensics experience (e.g., Auth0, Cognito): authentication logs, abnormal grant flows, and token misuse investigation
- Experience receiving and evaluating escalations from an MSSP/MDR, including identifying under-triaged or misrouted tickets
- Familiarity with CSPM tooling (e.g., Wiz, Prisma Cloud, Orca) as an investigative data source during cloud incidents
- DFIR certifications: GCFE, GCFA, GCFR, GREM, GCIH, or equivalent practical forensics credentials
- Prior experience in a SaaS company, financial services, or other regulated environment handling sensitive customer data