Lead Security Analyst, Cloud & Endpoint Incident Response

1150868

About the role

The Lead Security Analyst is a senior hands-on role within Security Operations focused on cloud-centric incident response with a primary emphasis on AWS while also leading complex investigations across endpoint identity and SaaS environments. This role is for an experienced investigator who operates confidently in high-impact incidents owns response end-to-end and improves how security incidents are detected investigated and contained at scale. This is not simply an alert-triage role; it is a senior investigative and technical leadership position.

What youll do

Threat awareness & rapid assessment

• Track emerging threats (active exploitation 0-days vendor advisories high-risk CVEs) and quickly assess relevance to our AWS environment and endpoints.
• Triage external and internal inputs (customer-reported issues bug bounty reports security research escalations) and drive them through validation investigation and mitigation when risk is confirmed.
• Translate threat intelligence into practical actions: containment guidance detection updates and prioritized remediation.

Incident response & investigation

• Lead and execute high-severity security incidents across AWS endpoints identity and SaaS environments.
• Drive incidents from initial signal through scoping containment eradication recovery and post-incident review.
• Reconstruct attacker activity by correlating AWS and endpoint evidence to determine initial access persistence privilege escalation lateral movement and impact.
• Produce clear incident documentation (timelines findings evidence and actionable recommendations) for both technical and non-technical stakeholders.

AWS incident response

• Investigate AWS incidents including IAM abuse credential compromise control-plane attacks persistence mechanisms and lateral movement.
• Use AWS telemetry to scope and confirm activity including CloudTrail CloudWatch Logs VPC Flow Logs IAM and GuardDuty.
• Lead investigations involving common AWS compromise patterns
• Execute containment actions across cloud surfaces including credential/session revocation policy/role changes resource quarantine and access tightening balancing speed with service impact.
• Identify visibility and telemetry gaps and work with engineering teams to close them (logging coverage retention alerting access model for incident response).

Detection automation & readiness

• Improve detection coverage across AWS and endpoint environments by validating detections against real-world attack scenarios and incident learnings.
• Partner with detection engineering to test and deploy new detections tune noisy detections and strengthen investigation context.
• Build and maintain investigation and response automation using SOAR tools and scripting.
• Develop and evolve AWS and endpoint incident response playbooks and ensure theyre usable under pressure.

Engineering partnership & remediation ownership

• Partner with Engineering SRE and IT to implement mitigations including infrastructure configuration changes and application-level fixes when needed.
• Track corrective actions to completion and ensure incident learnings translate into durable prevention (not just documentation).

Required experience

• Strong understanding of software engineering fundamentals including code structure build systems dependencies and package ecosystemsenabling effective partnership with Engineering teams.
• Understanding of CI/CD pipelines and DevOps workflows enabling collaboration with Infrastructure and DevOps teams.
• Solid knowledge of cloud architecture especially Amazon Web Services (AWS) services used in modern cloud-native deployments.
• Hands-on experience responding to AWS security incidents including investigation and containment actions.
• Familiarity with SaaS architectures identity systems and integration patterns for effective collaboration with Cloud Security teams.
• Proven experience leading complex security incidents across cloud and endpoint environments.
• Strong understanding of identity and access concepts (IAM roles federation OAuth privilege escalation patterns).
• Experience using a SIEM for investigations and detection development (Splunk preferred).
• Comfortable scripting or automating in Python to accelerate investigations and response workflows.
• Strong Linux investigation skills; solid working knowledge of macOS and Windows.

Preferred experience

• Experience operating in multi-account AWS environments and building practical IR workflows for scale (centralized logging access patterns guardrails).
• Familiarity with AWS security services beyond core telemetry (e.g. Security Hub Detective Config Macie).
• Familiarity with Kubernetes containers serverless infrastructure or modern distributed systems.
• SOAR experience building reliable auditable automations and response workflows.

What we value

• Calm structured decision-making under pressure
• Speed with evidence-based rigor
• Ownership and follow-through on remediation
• Strong cross-functional collaboration with engineering teams
• An automation and continuous-improvement mindset