Cyber Defense Operations Researcher

Posting Title Cyber Defense Operations Researcher . Location CO - Golden . Position Type Regular . Hours Per Week 40 . Working at NREL NREL is located at the foothills of the Rocky Mountains in Golden, Colorado is the nation's primary laboratory for energy systems research and development. Join NREL, where world-class scientists, engineers, and experts are accelerating energy innovation through breakthrough research and systems integration. From our mission to our collaborative culture, NREL stands out in the research community for its commitment to an affordable and secure energy future. Spanning foundational science to applied systems engineering and analysis, we focus on solving complex challenges to deliver advanced, secure, reliable, and cost-effective energy solutions. Our work helps strengthen U.S. industries, support job creation, and promote national economic growth. At NREL, you’ll find a mission-driven environment supported by state-of-the-art facilities, multidisciplinary research teams, and strong collaborations with industry, academia, and other national laboratories. We offer robust professional development opportunities, and a competitive benefits package designed to support your career and well-being. Job Description NREL is seeking a mid-career cyber defense operations researcher to join its Cybersecurity Research Center (CRC). The CRC conducts applied research at the intersection of cybersecurity, energy systems, and national resilience—developing the tools, methods, and scientific foundations necessary to secure and sustain the nation’s evolving energy infrastructure. CRC research spans incident response (IR) and threat detection, operational technology (OT) risk analysis, cyber-physical resilience testing, malware and artifact analysis, and defense science. Working across NREL’s energy, grid, and systems integration missions, the CRC leverages unique laboratory assets—including the ARIES Cyber Range—to conduct high-fidelity cyber defense exercises and modeling that integrate Information Technology (IT), OT, and hybrid energy system architectures. We are seeking a technically strong and research-focused professional to advance incident response science, detection engineering, and defensive experimentation. The successful candidate will possess hands-on experience responding to cyber incidents, conducting forensic analysis, and translating findings into improved detection logic, playbooks, and system-level resilience strategies. Key Research Responsibilities: Researcher IV Lead incident-response and detection research strategy, shaping experiment design, modeling approach, and scientific rigor. Architect and direct incident-response exercises spanning IT/OT/cyber-physical environments; develop crisis-response workflows. Design, validate, and operationalize advanced detection engineering solutions, drive automation strategy. Extend cybersecurity frameworks to produce new research methodologies and defense evaluation techniques. Lead forensic investigations; produce reproducible analysis packages suitable for publication/Department of Energy (DOE) deliverables. Translate research outcomes into resilience strategies, quantitative performance metrics, and sponsor-ready deliverables. Lead proposal development and serve as primary/lead author on technical publications or conference presentations. Build and lead cross-functional research teams; set objectives, track deliverables, manage schedules, and brief leadership. Guide the development of defensible architecture and automated incident response exercise pipelines in the cyber range. Provide sustained mentorship to junior researchers, act as a technical resource and role model within the laboratory. Researcher III Conduct cyber range experimentation to support incident response and detection research (malware/log analysis, defensive modeling). Execute incident-response exercises (live-fire, playbook testing, crisis workflows) with guidance from senior staff. Develop and refine detection artifacts (Security Information and Event Management (SIEM) rules, use-cases, enrichment logic, automation scripts). Apply standard cybersecurity frameworks (MITRE ATT&CK / ICS ATT&CK, NIST IR lifecycle) to inform experiment design. Perform forensic evidence collection and contribute timelines, artifacts, and post-incident analysis. Document research outcomes and integrate findings into resilience models and incident-response playbooks. Contribute written sections to research proposals, reports, and publications. Collaborate with interdisciplinary teams (modeling, energy systems, cyber monitoring) to support experimental execution. Support development of the cyber range monitoring infrastructure and automation scripts. Share knowledge and assist interns or junior researchers when appropriate. . Basic Qualifications Researcher IV Relevant PhD and 4 or more years of experience . Or, relevant Master's Degree and 7 or more years of experience . Or, relevant Bachelor's Degree and 9 or more years of experience . Demonstrated in-depth knowledge of laws, regulations, principles, procedures and practices related to specific field. Excellent leadership, communication, problem solving and project management skills. Ability to use various computer software programs. Researcher III Relevant PhD. Or, relevant Master's Degree and 3 or more years of experience . Or, relevant Bachelor's Degree and 5 or more years of experience . Demonstrates broad understanding and wide application of engineering technical procedures, principles, theories and concepts in the field. General knowledge of other related disciplines. Demonstrates leadership in one or more areas of team, task or project lead responsibilities. Demonstrated experience in management of projects. Very good writing, interpersonal and communication skills. * Must meet educational requirements prior to employment start date. Additional Required Qualifications Must be able to obtain and maintain a DOE security clearance at the Q/TS/SCI level. A polygraph may be required. Eligibility requirements: To obtain a clearance, an individual must be at least 18 years of age; U.S. citizenship is required except in very limited circumstances. See DOE O 472.2A for additional information. Understanding and application of project management principles, concepts, practices, and standards Ability to travel as needed up to 25% Preferred Qualifications Researcher IV Advanced experience in Incident Response, threat hunting, forensics, malware analysis, preferably in critical infrastructure environments. Deep understanding of detection engineering and monitoring at enterprise/OT scale; ability to architect solutions. Strong proficiency in automation/scripting applied to tooling development and scalable IR workflows. Applied expertise in Industrial Control Systems (ICS)/OT systems and energy sector architectures; recognized in this technical space. Demonstrated record of producing reproducible research-grade results (peer-reviewed publications, conference papers). Skilled communicator able to brief DOE sponsors, industry partners, and senior leadership. Proven ability to lead cross-functional research efforts, secure research funding, and mentor staff. Researcher III Hands-on experience in incident response, Security Operation Center (SOC) operations, threat hunting, forensics, or malware analysis. Working knowledge of detection and monitoring architectures (SIEM, EDR/XDR, packet capture tools, basic OT visibility). Proficiency with scripting/automation languages (Python, PowerShell, Bash) to support workflows. Familiarity with ICS/OT and energy sector concepts (Modbus, DNP3, IEC standards) or willingness to learn. Demonstrated ability to produce defensible IR findings and contribute to reports and after-action documentation. Effective written and verbal communication in multidisciplinary research environments. Ability to work independently while collaborating across functional research teams. . Job Application Submission Window The anticipated closing window for application submission is up to 30 days and may be extended as needed. Annual Salary Range (based on full-time 40 hours per week) Job Profile: Researcher IV / Annual Salary Range: $117,200 - $211,000 Job Profile: Researcher III / Annual Salary Range: $97,800 - $176,000 NREL takes into consideration a candidate’s education, training, and experience, expected quality and quantity of work, required travel (if any), external market and internal value, including seniority and merit systems, and internal pay alignment when determining the salary level for potential new employees. In compliance with the Colorado Equal Pay for Equal Work Act, a potential new employee’s salary history will not be used in compensation decisions. Benefits Summary Benefits include medical, dental, and vision insurance; short*- and long-term disability insurance; pension benefits*; 403(b) Employee Savings Plan with employer match*; life and accidental death and dismemberment (AD&D) insurance; personal time off (PTO) and sick leave; paid holidays; and tuition reimbursement*. NREL employees may be eligible for, but are not guaranteed, performance-, merit-, and achievement- based awards that include a monetary component. Some positions may be eligible for relocation expense reimbursement. Limited-term positions are not eligible for long-term disability or tuition reimbursement. * Based on eligibility rules Badging Requirement NREL is subject to Department of Energy (DOE) access restrictions. All employees must also be able to obtain and maintain a federal Personal Identity Verification (PIV) card as required by Homeland Security Presidential Directive 12 (HSPD-12), which includes a favorable background investigation. Drug Free Workplace NREL is committed to maintaining a drug-free workplace in accordance with the federal Drug-Free Workplace Act and complies with federal laws prohibiting the possession and use of illegal drugs. Under federal law, marijuana remains an illegal drug. If you are offered employment at NREL, you must pass a pre-employment drug test prior to commencing employment. Unless prohibited by state or local law, the pre-employment drug test will include marijuana. If you test positive on the pre-employment drug test, your offer of employment may be withdrawn. Submission Guidelines Please note that in order to be considered an applicant for any position at NREL you must submit an application form for each position for which you believe you are qualified. Applications are not kept on file for future positions. Please include a cover letter and resume with each position application. . Equal Opportunity Employer All qualified applicants will receive consideration for employment without regard basis of age (40 and over), color, disability, gender identity, genetic information, marital status, domestic partner status, military or veteran status, national origin/ancestry, race, religion, creed, sex (including pregnancy, childbirth, breastfeeding), sexual orientation, and any other applicable status protected by federal, state, or local laws. Reasonable Accommodations E-Verify www.dhs.gov/E-Verify For information about right to work, click here for English or here for Spanish. E-Verify is a registered trademark of the U.S. Department of Homeland Security. This business uses E-Verify in its hiring practices to achieve a lawful workforce. NREL is a leader in the U.S. Department of Energy’s effort to secure an environmentally and economically sustainable energy future. With locations in Golden and Boulder, Colorado, and a satellite office in Washington, D.C., NREL is the primary laboratory for research, development, and deployment of renewable energy technologies in the United States. NREL is subject to Department of Energy (DOE) access restrictions. All candidates must be authorized to access the facility per DOE rules and guidance within a reasonable time frame for the specified position in order to be considered for an interview and for hiring. DOE rules for site access during the interview process depend on whether the candidate is interviewed on-site, off-site, or via telephone or videoconference. All employees must also be able to obtain and maintain a federal Personal Identity Verification (PIV) card as required by Homeland Security Presidential Directive 12 (HSPD-12), which includes a favorable background investigation. Additionally, DOE contractor employees are prohibited from participating in certain Foreign Government Talent Recruitment Programs (FGTRPs). If a candidate is currently participating in an FGTRP, they will be required to disclose their participation after receiving an offer of employment and may be required to disengage from participation in the FGTRP prior to commencing employment. Any offer of employment is conditional on the ability to obtain work authorization and to be granted access to NREL by the Department of Energy (DOE). Drug Free Workplace NREL is committed to maintaining a drug-free workplace in accordance with the federal Drug-Free Workplace Act and complies with federal laws prohibiting the possession and use of illegal drugs. Under federal law, marijuana remains an illegal drug. If you are offered employment at NREL, you must pass a pre-employment drug test prior to commencing employment. Unless prohibited by state or local law, the pre-employment drug test will include marijuana. If you test positive on the pre-employment drug test, your offer of employment may be withdrawn. Please review the information on our Hiring Process website before you create an account and apply for a job. We also hope you will learn more about NREL, visit our Careers site, and continue to search for job opportunities at the lab.

Salary : $97,800 - $176,000