Incident Responder

Position Overview

The Incident Responder supports the Administrative Office of the U.S. Courts (AOUSC) by delivering advanced cybersecurity incident response and threat hunting services across both cloud and on-premises environments. This role focuses on identifying, analyzing, and mitigating sophisticated cyber threats while strengthening detection capabilities and improving overall security posture.

Key Responsibilities

• Provide incident response support for declared security incidents and proactively hunt for threats not detected through automated systems

• Conduct counterintelligence activities, develop Threat Actor (TA) dossiers, and identify adversary tactics, techniques, and procedures (TTPs)

• Analyze SIEM alerts and security events to determine risk, impact, and appropriate response actions

• Collect and analyze forensic data from compromised systems using EDR tools and custom scripts

• Track and document incidents from initial detection through final resolution

• Respond to government technical requests via ITSM platforms (e.g., HEAT, ServiceNow)

• Perform malware triage and root cause analysis

• Review open-source intelligence for emerging threats and adversary activity

• Collaborate with court IT personnel to troubleshoot and resolve endpoint detection issues

• Participate in after-action reviews and provide recommendations for improving security posture

• Attend Agile Scrum standups and report on assigned Jira tasks

• Review SOC incident reports and recommend enhancements, escalations, or re-evaluations

Required Qualifications

• Minimum of 5 years of experience in incident response across cloud and non-cloud environments, including:

  • Microsoft Azure

  • Microsoft O365

  • Microsoft Active Directory

  • Zscaler

• Minimum of 5 years of experience using Splunk Enterprise Security for incident response

• Minimum of 5 years of experience collecting and analyzing data using:

  • EDR tools (CrowdStrike, Qualys)

  • Custom scripts (e.g., Sysmon, Auditd)

• Experience with the following tools and technologies:

  • Microsoft Sentinel (threat hunting in Azure)

  • Tenable Nessus and SYN/ACK (vulnerability management)

  • NetScout (network traffic analysis)

  • SPUR.us (IP/address enrichment)

  • Mandiant threat intelligence feeds

• Splunk Core Power User certification (required)

• Must possess one of the following certifications:

  • GIAC Certified Intrusion Analyst (GCIA)

  • GIAC Certified Incident Handler (GCIH)

  • GIAC Continuous Monitoring (GMON)

  • GIAC Defending Advanced Threats (GDAT)

• Ability to obtain a Low Risk Public Trust Suitability Determination

Key Deliverables

• QA/Security Analysis review of SOC incident reports

• Threat Actor (TA) IOC assessments

• Web Application Firewall (WAF) rule implementations

• Development of operational templates

• Advanced SME Incident Response support for Priority 1 events (engagement within 4 hours, 24/7/365)

• Comprehensive incident reports including:

  • Executive summary

  • Detailed findings

  • Security impact assessment

  • Timeline of events

  • Actions taken

• Documentation of all work in Jira aligned with Agile processes 

• Creation and maintenance of Standard Operating Procedures (SOPs) and security playbooks

Work Environment

This role requires a strong on-site presence (80%) at the AOUSC facility in Washington, DC, and active participation in a collaborative, Agile-based cybersecurity operations environment.