Incident Response & Digital Forensics Analyst

Were looking for an Incident Response & Digital Forensics Analyst to reinforce the local CSIRT team in Switzerland.

We are looking for a Senior DFIR Specialist to join our team in Morges. This is a high-impact role designed for a seasoned professional with extensive field experience in incident response (and digital forensics to some extent) that bridges the gap between deep technical analysis and high-stakes crisis management to ensure our findings are translated into clear and actionable business intelligence.

In this versatile role you will be expected to lead from the front by conducting hands-on incident response and forensic investigations yourself but also to coordinate the work of other analysts. This involves steering technical task tracking overseeing the quality of the teams technical delivery (from initial analysis to remediation) and ensuring that all deliverables meet the highest standards of professional excellence.

As a senior member of the team you will also play a pivotal role in scaling and maturing our local CSIRT capabilities helping to shape our methodologies and service evolution in Switzerland.

While not a large part of the job the role does require a small amount of mentorship and teaching to ensure that more junior members of the team are coping with their workload.

The role will work only in the local CSIRT but will have links into the SOC and Threat Intelligence services for information sharing.

Key Responsibilities

IR Expertise: Perform end-to-end incident response sometimes for clients in crisis ensuring high-quality delivery while maintaining a calm and steady presence.

On-Call Rotation: Participate in the 24/7 on-call roster to ensure out-of-hours emergency coverage.

Incident Coordination: Oversee task tracking and technical analysis performed by other analysts during coordinated responses.

Digital Forensics: Conduct in-depth forensic investigations on various media and platforms including standalone digital forensic engagements outside of live incident response.

Reporting & Quality Control: Write and review detailed incident reports in both French and English (with a keen eye for the legal and strategic implications of every word) and ensure all client-facing documents meet the highest standards.

Proactive Advisory: Support clients in pre-incident phases to bolster their resilience (e.g. enhancing logging refining incident response plans and playbooks delivering technical and executive tabletop exercises implementing strategies to reduce MTTD/MTTR etc.).

Service Development: Contribute to the growth of the local CSIRT service through technical innovation methodology improvements and tool development.

Pre-sales & Mentorship: Participate in pre-sales activities (e.g. proposals and presentations) and actively train/upskill junior and mid-level analysts.

Skills & experience you should bring along

Education: Degree in IT Computer Science or a Cybersecurity-related field.

Experience: Ideally 4 years in DFIR. We are however open to talented profiles with less seniority who can demonstrate strong technical autonomy and hands-on expertise in the field.

Certifications: GIAC certifications (such as GCFA GCFR or GNFA) are a distinct advantage.

Communication: Strong communication skills and a high standard of report writing in both French and English (C1/C2 level). German is a significant advantage.

Crisis Management: Proven ability to handle high-pressure situations in a productive and professional manner and ability to prioritize and action both operational and project demands.

Business Acumen: Deep understanding of enterprise IT ecosystems their lifecycles and budgetary constraints.

Technical Proficiency:

oDeep understanding of adversary tactics and attack methodologies (TTPs) which form the bedrock of any effective defensive strategy.

oProven experience in root cause analysis and complex incident response scenarios.

oStrong understanding of networking principles and protocols (TCP/IP DNS SMTP HTTP etc.).

oProficiency in investigating environments across Google Cloud AWS and Azure. Experience with Kubernetes and OpenStack would be an advantage.

oAbility to review and correlate raw log files (Firewall Netflow IDS System logs).

oMalware triage capabilities to determine malicious intent and impact.

oExperience with network analysis tools would be an advantage (like Wireshark tcpdump Zeek or RITA).

oSolid knowledge of the requirements for legally defensible investigations and chain of custody.

oProficiency in extracting and analysing forensic artefacts across various operating systems.

Tooling & Automation:

oHands-on experience with EDR/XDR solutions (such as Cortex XDR or CrowdStrike) including threat hunting and containment actions.

oProficiency with modern acquisition and triage tools (such as KAPE Velociraptor or RedLine).

oAbility to automate repetitive tasks streamline workflows and parse data using at least one scripting language (like Python and PowerShell).