Lead Cyber Incident Responder

The Lead Cyber Incident Responder (T3) provides expert leadership during security incidents, driving rapid detection, triage, containment, and eradication activities. The role maintains operational readiness of response capabilities, mentors responders, and ensures clear, confident communication across technical and business stakeholders. This individual acts as the escalation point for complex incidents and sets the standard for investigative quality, rhythm, and discipline.

The Lead Cyber Incident Responder will be on call once every 6 weeks for a week and will need to be available 24/7 (realistically 5am est -11pm est) because they have a counterpart in the EU.

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.

Core Responsibilities
1. Incident Detection, Triage, and Response
• Lead and coordinate security incident response operations end-to-end, from initial alert triage through closure.
• Maintain situational awareness for any potential or incoming incidents, including the report cyber incident distro, identifying and escalating any potential incident as swiftly as possible, inline with documented processes and procedures.
• Validate and prioritize alerts generated by SIEM, EDR, NDR, SOAR, and threat-intel sources, including hunting activities.
• Execute deep and meaningful incident investigations, including analysis across endpoints, servers, cloud services, and network telemetry.
• Direct containment actions: host isolation, account disablement, network blocks, identity access revocations, emergency control changes.
• Ensure eradication and recovery steps are executed cleanly, validated, and documented.
• Decide if, when, and how to escalate incidents to senior management, Legal, HR, DPO, Fraud, BCM, or third parties.
• Maintain accurate incident timelines, chain-of-evidence discipline, and investigation notes.
2. Incident Command & Stakeholder Management
• Drive the battle rhythm: situation updates, decision points, stakeholder engagement, and evidence-based assessment of impact.
• Define incident objectives, assign tasks, and ensure cross-team accountability.
• Communicate status and risk clearly to technical teams, senior stakeholders, and executives when required. Technical and non- technical
• Ensure lessons-learned sessions are completed and improvement actions are logged, tracked, and closed.
3. Stakeholder Collaboration
• Work with CTI to enrich investigations, validate IoCs, link activity to adversary behaviour, and drive hunting hypotheses.
• Recommend detection improvements to TDO, signature updates, and tuning based on incident findings.
• Support tactical hunts and pivoting based on novel attacker techniques observed in incidents.
• Critical celebrity vulnerability and purple teaming involvement with the ASM team
4. Tools, Technology, and Automation
• Recommend and request optimization from ACE for IR tooling: EDR, forensic toolkits, log platforms, case management, SOAR playbooks.
• Lead the development, maintenance, and continuous improvement of IR runbooks and playbooks.
• Identify automation opportunities to reduce manual toil and increase response speed.
• Lead IR tabletop exercises, live action drills, simulations and continuous improvement efforts (internal to IR).
• Support wider tabletop exercises (Fusion Cell and ASM), simulations, and purple-team activities to validate readiness.
5. Governance, Reporting, and Assurance
• Produce high-quality incident reports, impact analysis, and executive summaries.
• Track IR metrics: MTTD, MTTA, MTTC, containment quality, repeat incident patterns, root-cause themes.
• Ensure IR actions align with policy, regulatory requirements, and evidentiary standards.
• Provide assurance that security controls performed as expected during incidents; identify deviations and drive remediation.
• Ensure end of shift handover is completed and distribute in a timely fashion and to a high standard.
6. Additional Responsibilities
• Adhoc fulfillment of Audit requests driven by control testing and analysis- Limited to SOC/monitoring and IR activities only.
• Adhoc IR process improvement based on postmortem activities, either driven directly by IR or Fusion Cell.

Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.