Cyber Incident Responder

Due to our continued growth, we are looking for an experienced Cyber Incident Responder to add to the CYFOR Secure team. The ideal candidate will have at least 3 years' experience responding to and investigating a range of cyber incidents and demonstrate solid knowledge of common cyber incident types and threat actor methodologies. You'll have a strong technical knowledge of incident response, digital forensics, M365, cloud environments and investigations processes, along with excellent client facing skills and a can-do attitude. You'll also be able to demonstrate flexibility, commitment and integrity.

This role is primarily focused on incident response investigations, but you will also be required to support and backfill remote and onsite business recovery activities, security assessments and tabletop exercises when required. In return, you'll receive a salary commensurate with experience; plus training, overtime and excellent career prospects. You'll enjoy a varied and highly fulfilling role, working with great colleagues in a fantastic atmosphere. This is a unique opportunity to join a highly successful business that truly focuses on its main asset, its team members.

Main Responsibilities

• Perform high-tempo emergency incident response engagements for clients, leading and supporting technical containment, eradication and recovery actions including credential resets, host isolation, network quarantine, EDR deployment, persistence removal and validation of clean-state restoration.
• Conduct host, network and cloud-focused forensic investigations to determine initial access, root cause, attack path, lateral movement, privilege escalation, persistence mechanisms, command-and-control activity and the scope of data or systems impacted.
• Acquire, preserve and analyse forensic evidence from endpoints, servers, virtual machines and enterprise infrastructure using forensically sound methodologies, ensuring evidential integrity and defensible investigative outcomes.
• Investigate artefacts across server logs, firewall logs, proxy logs, VPN logs, intrusion detection and prevention alerts, authentication records, EDR telemetry, cloud audit logs and packet or traffic data to reconstruct attacker activity and identify affected accounts, hosts and datasets.
• Perform malware triage, reverse engineering and behavioural analysis to determine malware capability, execution flow, persistence, communications patterns, credential theft activity, data staging or exfiltration risk, and to produce actionable indicators of compromise and detection opportunities.
• Fuse frontline threat intelligence, open-source research and adversary TTP analysis into live investigations to enrich hypotheses, accelerate scoping, attribute likely threat activity where appropriate, and strengthen detection and containment decisions.
• Apply structured, hypothesis-led investigative methodology under pressure, maintaining calm judgement, technical accuracy and clear prioritisation during complex, high-impact and time-sensitive incidents.
• Produce high-quality technical deliverables including evidence-based investigation reports, attack timelines, executive summaries, indicators of compromise, remediation recommendations and client-ready findings suitable for technical, leadership and third-party stakeholder audiences.
• Deliver regular, concise and high-quality updates throughout engagements, clearly communicating current findings, investigative direction, risk, client actions, containment status and next steps to both technical teams and senior stakeholders.
• Support and advise clients through remediation, recovery and rebuild activities including system reimaging, Active Directory hardening or rebuilds, control improvement, network segmentation, patching, validation of eradication and post-incident security uplift.
• Use forensic triage, live response and targeted acquisition techniques to rapidly identify patient zero, prioritise critical systems, reduce unnecessary full-disk imaging and scale investigations efficiently across large enterprise environments.
• Support the delivery of compromise assessments, threat hunting, security assessments, incident preparedness activities and tabletop exercises to improve client readiness before, during and after security incidents.
• Travel at short notice when required to provide on-site incident response, forensic acquisition, crisis support and recovery assistance for business-critical client environments.
• Collaborate closely with incident response, threat intelligence, malware analysis, detection engineering, red team, SOC and infrastructure stakeholders to ensure investigations are intelligence-led, technically rigorous and operationally effective.
• Contribute to the continuous improvement and promotion of DFIR services by feeding back lessons learned from engagements, developing new capabilities, refining methodologies and supporting go-to-market initiatives.
• Actively share knowledge across the organisation by delivering internal training, mentoring team members, contributing to playbooks, and improving collective investigative capability and technical depth.
• Represent the organisation externally through thought leadership activities including conference speaking, client briefings, technical blog writing and community engagement, helping to strengthen brand credibility and industry presence.
• Capture and operationalise insights from incidents into reusable intelligence, detection content, tooling improvements and best practices, ensuring knowledge is retained and scaled across future engagements.

Skills and Experience

• Minimum 3 years’ experience in cyber incident response and digital forensics.
• Experience collecting forensic evidence from compromised systems.
• Experience investigating cyber incidents to understand malicious activity.
• Proven understanding of the Cyber Kill Chain, MITRE ATT&CK and other information security defence and intelligence frameworks.
• Comprehensive knowledge of incident handling, threat hunting and threat intelligence.
• Ability to correlate events from various sources to create incident timelines.
• Experience in cloud-based infrastructure including Microsoft Azure and Office 365, Amazon AWS, and Google Cloud.
• Experience with Linux/Unix systems as a digital forensics tool, including command-line evidence acquisition and analysis.
• Knowledge of Windows server infrastructure; including Active Directory, Domain Controllers, and Exchange Servers.
• Excellent client facing skills, with the ability to communicate at all levels, adapting the style of communication to meet the needs of the audience.
• An excellent attitude and the willingness to learn and study for certifications.
• Ability to effectively plan and coordinate projects.
• Excellent written and verbal communication skills.
• An investigative mindset with a high level of attention to detail.
• Demonstrate a flexible approach to work and a high level of self-motivation.
• Ability to exercise discretion and confidentiality.

Desirable Skills

• Previous exposure to enterprise scale infrastructure and technology stacks.
• Appropriate incident response certifications (e.g., CREST Intrusion Analyst or Incident Manager).
• Experience deploying and monitoring endpoint protection (e.g. SentinelOne) across a variety of systems during incident response.
• Experience with network connected devices such as firewalls, VPNs and switches.
• Experience with backup systems, including Veeam.
• Experience with virtualization systems, including VMWare and Hyper-V.
• Experience with proactive security tools including vulnerability scanning and security auditing.
• Experience with security certifications such as Cyber Essentials, Cyber Assurance and ISO27001.
• Experience automating tasks using PowerShell and other relevant command line interfaces.

Benefits

• Flexible working
• Company pension scheme (3% employer contribution)
• 24 Days annual holiday plus Bank holidays
• Extra day's holiday for your birthday
• Annual holiday loyalty bonus (increasing to 30 days after 3 years)
• MediCash Cashplan
• Life Assurance (Death in Service)
• Annual Media Subscriptions (from a choice of Netflix HD, Amazon Prime, etc)

Security Clearance

Please note that this role will require NPPV3 clearance in addition to National security clearance to SC level. Applicants MUST have been continuously resident in the United Kingdom for the last 5 years. If you do not hold an active SC clearance, please familiarise yourself with the vetting process before applying.

Equal Opportunities

As an equal opportunities employer, CYFOR welcomes applicants from all sections of the community regardless of gender, ethnicity, disability, sexual orientation or transgender status. All appointments are made on merit.