Incident Responder

Position Overview

The Incident Responder supports the Administrative Office of the U.S. Courts (AOUSC) by delivering advanced cybersecurity incident response and threat hunting services across both cloud and on-premises environments. This role focuses on identifying analyzing and mitigating sophisticated cyber threats while strengthening detection capabilities and improving overall security posture.

Key Responsibilities

• Provide incident response support for declared security incidents and proactively hunt for threats not detected through automated systems

• Conduct counterintelligence activities develop Threat Actor (TA) dossiers and identify adversary tactics techniques and procedures (TTPs)

• Analyze SIEM alerts and security events to determine risk impact and appropriate response actions

• Collect and analyze forensic data from compromised systems using EDR tools and custom scripts

• Track and document incidents from initial detection through final resolution

• Respond to government technical requests via ITSM platforms (e.g. HEAT ServiceNow)

• Perform malware triage and root cause analysis

• Review open-source intelligence for emerging threats and adversary activity

• Collaborate with court IT personnel to troubleshoot and resolve endpoint detection issues

• Participate in after-action reviews and provide recommendations for improving security posture

• Attend Agile Scrum standups and report on assigned Jira tasks

• Review SOC incident reports and recommend enhancements escalations or re-evaluations

Required Qualifications

• Minimum of 5 years of experience in incident response across cloud and non-cloud environments including:

  • Microsoft Azure

  • Microsoft O365

  • Microsoft Active Directory

  • Zscaler

• Minimum of 5 years of experience using Splunk Enterprise Security for incident response

• Minimum of 5 years of experience collecting and analyzing data using:

  • EDR tools (CrowdStrike Qualys)

  • Custom scripts (e.g. Sysmon Auditd)

• Experience with the following tools and technologies:

  • Microsoft Sentinel (threat hunting in Azure)

  • Tenable Nessus and SYN/ACK (vulnerability management)

  • NetScout (network traffic analysis)

  • (IP/address enrichment)

  • Mandiant threat intelligence feeds

• Splunk Core Power User certification (required)

• Must possess one of the following certifications:

  • GIAC Certified Intrusion Analyst (GCIA)

  • GIAC Certified Incident Handler (GCIH)

  • GIAC Continuous Monitoring (GMON)

  • GIAC Defending Advanced Threats (GDAT)

• Ability to obtain a Low Risk Public Trust Suitability Determination

Key Deliverables

• QA/Security Analysis review of SOC incident reports

• Threat Actor (TA) IOC assessments

• Web Application Firewall (WAF) rule implementations

• Development of operational templates

• Advanced SME Incident Response support for Priority 1 events (engagement within 4 hours 24/7/365)

• Comprehensive incident reports including:

  • Executive summary

  • Detailed findings

  • Security impact assessment

  • Timeline of events

  • Actions taken

• Documentation of all work in Jira aligned with Agile processes

• Creation and maintenance of Standard Operating Procedures (SOPs) and security playbooks

Work Environment

This role requires a strong on-site presence (80%) at the AOUSC facility in Washington DC and active participation in a collaborative Agile-based cybersecurity operations environment.