Incident Response Recovery Specialist

Salary: £45,000 to £55,000 depending on experience
Location:Remote (Hybrid)

Job Description

CYFOR is a leading nationwide provider of cyber security services, digital forensics and eDiscovery. We support clients across a wide range of sectors, including law firms, insurance providers and law enforcement agencies. As our cyber security services continue to grow, we are looking for talented technical specialists who can make a meaningful impact for our clients.

At CYFOR, we value people who are passionate about technology, think critically, communicate well and can make a real difference in challenging situations. Our people are what make CYFOR great, and as they grow, so do we.

If you are looking for a varied and highly rewarding technical role, working with great colleagues in a supportive and fast-moving environment, we would like to hear from you.

The Role

We are looking for an experienced Incident Response – Recovery Specialist to join our incident response team. This is a hands‑on technical role focused on helping clients recover from cyber incidents, restore critical services, rebuild infrastructure where necessary, and return to business‑as‑usual as safely and efficiently as possible.

While the role is primarily aligned to incident response work, it is not limited to live incidents alone. In addition to supporting clients during recovery engagements, you may also assist with ongoing incident response retainers, recovery readiness activities, backup health and restore assurance, and internal technical improvement projects.

This role is well suited to candidates with strong engineering fundamentals who may already work in, or come from, roles such as Infrastructure Engineer, Cloud Engineer, Platform Engineer, Backup / DR Engineer, or Network Engineer. We recognise that the right person may not come from a pure DFIR background, but will instead bring deep technical experience in designing, rebuilding, securing and supporting business‑critical systems.

Success in this role will depend on your ability to quickly assess unfamiliar environments, ask the right probing questions, work methodically under pressure, and restore key systems even where documentation is limited or unavailable. In some cases, where backups are not viable, you will be expected to help rebuild core systems and services from scratch.

Key Responsibilities

The main responsibilities for the role will include:

• Assisting clients with infrastructure remediation, recovery and rebuilds following a cyber incident.
• Supporting the restoration of critical business services in both on‑premise and cloud environments.
• Rebuilding key systems from scratch where recovery from backup is not possible or not appropriate.
• Collaborating with incident response investigators to support containment, remediation and longer‑term resilience.
• Supporting clients with ongoing incident response retainers and proactive recovery readiness activities between incidents.
• Monitoring backup health, supporting restore validation, and helping clients improve recovery confidence and resilience.
• Segmenting infrastructure during a cyber incident to support containment and safe restoration.
• Collecting and preserving relevant technical evidence, such as firewall, endpoint, authentication and system logs.
• Supporting Microsoft 365 tenant hardening, Entra / identity recovery, Exchange recovery or migration activities, VMware and Hyper‑V recovery, and firewall rebuilds or rule reviews where required.
• Automating recovery and administrative tasks using PowerShell and other relevant scripting or command‑line tools.
• Contributing to internal projects such as automation and tooling, recovery runbooks, backup validation and testing, internal lab development, service improvement initiatives, and internal infrastructure or security projects.
• Using sound judgement, structured troubleshooting, critical thinking, and appropriate AI‑assisted tooling to improve efficiency, analysis and documentation where suitable.

Essential Skills and Experience

The ideal candidate will have strong practical experience in a number of the following areas:

• Windows server infrastructure, including Active Directory, Domain Controllers and Exchange.
• Microsoft 365, Azure and Entra ID.
• Cloud infrastructure, eg AWS and/or Google Cloud.
• Backup and recovery technologies, eg Unitrends, Axcient, and Microsoft backup tools.
• Virtualisation platforms, including VMware and Hyper‑V.
• Network and security infrastructure, including firewalls, VPNs, switches and core networking concepts.
• Exposure to endpoint security tooling, similar to SentinelOne, and an understanding of how security tooling supports recovery and remediation.
• Recovering, rebuilding, migrating or hardening production systems in live business environments.
• Strong PowerShell and general scripting or command‑line capability.
• The ability to work through incomplete information, learn environments quickly, and ask effective technical and client‑facing questions.
• Strong written and verbal communication skills, with the ability to explain technical matters clearly to clients and internal stakeholders.

Desirable to extensive exposure to any of the following technologies or vendors

• Fortinet, SonicWall, Cisco, Meraki, Sophos, and WatchGuard.
• Additional Microsoft security and cloud technologies relevant to identity, recovery and tenant resilience.
• Vulnerability scanning, security auditing and general security improvement activity.
• Recovery planning, resilience testing, and disaster recovery best practices.
• Experience working in cyber security, incident response, managed service, infrastructure engineering or related technical consulting environments.

Certifications

Candidates should hold, or be working toward, relevant certifications such as CREST or CompTIA Security+. Equivalent technical or cyber security certifications are also welcomed.

Additional Requirements

You will also be expected to:

• Travel at short notice when required to perform on‑site recovery services.
• Work primarily remotely, with occasional on‑site engagements depending on client needs.
• Demonstrate a high level of accuracy, organisation, discretion and confidentiality.
• Take a flexible and self‑motivated approach to work.
• Remain calm and professional when supporting clients during high‑pressure incidents.

What You’ll Receive

In joining CYFOR, you will receive a salary commensurate with experience, training across cyber security disciplines such as incident response, auditing and forensic investigations, and excellent career prospects within a growing cyber security team. You will also receive:

• Annual subscriptions from a choice of Netflix, Amazon Prime, Spotify, magazine subscriptions and more.
• CYFOR’s statutory pension scheme.
• An extra day’s holiday for your birthday.
• Loyalty bonuses: 3 years – £300, 5 years – £500, 10 years – £1,000 bonus.

Security Clearance

Please note that this role will require security clearance to SC level. If you do not already hold SC clearance, you will be required to undergo vetting.

As an equal opportunities employer, CYFOR welcomes applicants from all sections of the community regardless of gender, ethnicity, disability, sexual orientation or transgender status. All appointments are made on merit.