Lead hands-on Digital Forensics & Incident Response (DFIR) engagements for active security incidents in Microsoft-centric environments. In addition to DFIR, you will help deliver and mature our Managed Endpoint for Microsoft Defender service—owning policy, posture management, and security hardening across customer environments. You will run investigations end-to-end (scoping, containment, remediation, recovery) and act as the senior technical authority during high-severity incidents within our MDR operations.
Key Responsibilities
- Lead high-severity incident response (ransomware, identity compromise, BEC, cloud intrusions)
- Investigate and respond using Microsoft Defender (Endpoint, Identity, O365, Cloud Apps) and Entra ID
- Perform deep endpoint, identity, email, and cloud investigations; build attacker timelines
- Scope compromise, contain threats, and guide remediation and recovery
- Deliver Managed Endpoint for Defender:
- Own Defender policy design, deployment, tuning, and enforcement
- Drive security posture management (baseline hardening, exposure reduction, ASR rules, device control, attack surface reduction)
- Continuously assess Defender coverage gaps, misconfigurations, and security hygiene
- Translate posture findings into prioritized remediation plans for customers
- Use EDR/XDR telemetry for live containment (host isolation, process termination, IOC blocking)
- Produce incident reports, root cause analysis, posture findings, and executive-level updates
- Support SOC escalations and guide L1/L2 analysts during live incidents
- Participate in on-call rotation for 24x7 MDR operations
Required Experience
- 5+ years hands-on DFIR / incident response ownership (not SOC-only)
- Proven experience leading ransomware and multi-stage intrusion investigations
- Strong Windows forensics, endpoint telemetry analysis, and live containment experience
- Deep hands-on experience with Microsoft security stack (Defender suite, Entra ID, M365)
- Experience designing and managing Defender policies and endpoint security posture
- Ability to lead customer-facing incidents independently under pressure
Nice to Have
- Threat hunting and hypothesis-driven investigations
- PowerShell/Python for investigation automation
- MDR/MSSP or consulting background
- DFIR certifications (GIAC, eCTHP, GCFA/GCED/GCFE, etc.)
Work Model
- Remote contractor role, reporting to US office
- On-call / after-hours availability based on incident demand
Why Join Us?
- Work real incidents with real impact — ransomware, identity compromise, cloud intrusions, and advanced threats
- Combine DFIR leadership + Managed Endpoint for Defender, shaping both response and prevention
- High autonomy and technical ownership — you run investigations end-to-end
- Global MDR environment with challenging, non-repetitive cases
- Direct influence on how our DFIR and Managed Endpoint practices are built and matured
- Close collaboration with SOC, engineering, and security leadership — your technical judgment matters