| Minimum Requirements: Candidates that do not meet or exceed the minimum stated requirements (skills/experience) will be displayed to customers but may not be chosen for this opportunity. | ||
| Years | Required/Preferred | Experience |
| 5 | Required | Advanced host based forensics across Windows and Linux, including memory, disk, and malware analysis, using telemetry from NetWitness, Gravwell, Google SecOps, and Corelight to validate findings and reconstruct attacker activity. |
| 5 | Required | Ability to correlate host, network, and intelligence data from CrowdStrike, SentinelOne, Microsoft Sentinel, Corelight, and NetWitness to build complete incident timelines. |
| 5 | Required | Experience producing high quality incident reports and executive summaries using evidence collected from Gravwell, NetWitness, Corelight, and case management workflows. |
| 4 | Required | Strong understanding of adversary TTPs, intrusion kill chains, and threat hunting methodologies using packet level and log level data from but not limited to Corelight, NetWitness, and CRIBL pipelines. |
| 3 | Required | Incident Commander experience |
| 1 | Required | Experience supporting SLTT or critical infrastructure environments, including multi tenant IR operations and cross agency coordination. |
| 5 | Preferred | Proficiency with threat intelligence platforms, including Recorded Future, ThreatMon, GreyNoise, Google Threat Intelligence, VirusTotal, and Mandiant, to enrich investigations, validate indicators, and map activity to MITRE Telecommunication&CK. |
| 5 | Preferred | Hands on experience using Cyware CSAP for incident orchestration, automated enrichment, case creation, and workflow execution across SIEM, IPS, EDR, and ticketing systems. |
| 4 | Preferred | Security Certifications Preferred (CISSP, CIH, Sec+) |