Senior DFIR & Threat Hunting Specialist

About the Role

We are seeking a senior cybersecurity researcher with expertise in digital forensics, incident response (DFIR), and advanced threat hunting. In this position, you will remain hands-on in technical investigations while also having the opportunity to guide a small team of researchers. The role is primarily research-focused and includes light optional leadership responsibilities. You will analyze compromised systems, uncover attacker activity across endpoints, networks, and cloud environments, and deliver actionable intelligence to strengthen clients’ defenses. Alongside your technical work, you may mentor junior analysts and help the team execute high-impact investigations.

• Acquire and analyze volatile memory, disk images, and other key artifacts from compromised systems.
• Investigate file systems, registry hives, persistence mechanisms, and timeline data to identify attacker actions.
• Leverage forensic tooling (Velociraptor, Volatility, Plaso) to extract IOCs and reconstruct attack paths.
• Apply methodical approaches to sanitize and restore potentially infected machines.
• Lead or support incident response engagements, triaging live incidents, containing threats, and supporting eradication and recovery efforts.
• Map attacker TTPs to MITRE ATT&CK, identifying lateral movement, privilege escalation, and data exfiltration.
• Provide remediation guidance and hardening recommendations to reduce future risk.
• Conduct proactive hunts across SIEM, EDR, and log sources to detect stealthy adversary activity.
• Develop hypotheses, create and tune detection rules, and improve alert fidelity.
• Analyze network traffic to detect beaconing, C2 channels, and exploitation attempts.
• Decompile and study malicious binaries, scripts, and implants to understand capabilities and persistence.
• Extract IOCs, C2 infrastructure, and adversary toolkits to support response and intelligence sharing.
• Develop YARA rules and custom forensic signatures.
• Optionally guide a small forensic response team while staying deeply engaged in technical research.
• Mentor junior analysts, review their findings, and ensure high technical quality in investigations.
• Contribute to internal IR playbooks, methodologies, and process improvements.
• Produce detailed, court-admissible forensic reports documenting evidence and attack chains.
• Deliver technical and executive briefings to clients following incidents.
• Share findings internally and contribute to intelligence repositories.

• Forensic Expert: Skilled in memory, disk, and endpoint analysis across Windows, Linux, and cloud environments.
• Incident Responder: Confident in high-pressure environments with proven containment and eradication expertise.
• Threat Hunter: Adept at uncovering stealthy adversary activity through proactive hunts and detection engineering.
• (Optional) Team Leader: Experience guiding small technical teams is an advantage but not required.
• Clear Communicator: Able to translate forensic and technical insights into actionable recommendations.

• 5+ years of DFIR, threat hunting, or incident response in enterprise or government environments.
• Expertise with forensic tools (Volatility, Velociraptor, FTK Imager, Autopsy, KAPE, Plaso, OSQuery).
• Strong knowledge of Windows internals, Linux forensic artifacts, file systems, and acquisition methodologies.
• Hands-on malware analysis and binary reversing experience.
• Strong grasp of adversary TTPs, detection engineering, and hunting frameworks.
• Familiarity with SIEM (Splunk, ELK), EDR (CrowdStrike, Defender for Endpoint), and log correlation.
• Scripting skills in Python, PowerShell, or Bash for automation and IOC parsing.
• Prior experience leading or mentoring small technical teams is an advantage (not a requirement).