Job Title: Cyber Incident Response Analyst
Location: Remote (Offsite-eligible, U.S.-based); occasional on-site support as required
Clearance Required: Active Secret clearance preferred. Candidates who are eligible to obtain the required Tier 3 (T3) / IT-II background investigation are encouraged to apply.
Employment Type: Full-Time
Overview
Cornerstone Technology Enterprises is seeking experienced cybersecurity professionals to support a large Department of Defense enterprise cybersecurity program for our government customer. For this position, we are hiring a Cyber Incident Response Analyst to investigate, contain, and eradicate cyber threats as part of a 24x7 Cyber Incident Response Team (CIRT). If you live for the hunt — running down alerts, scoping an incident, and driving it to clean recovery — this role is built for you.
This is a remote-eligible role supporting a 24x7 CIRT, with after-hours on-call coverage (historically about one after-hours incident response per quarter, with one-hour recall). Day to day, you will conduct technical investigations into cybersecurity events and incidents, provide the facts and technical detail needed for containment and eradication, recommend and coordinate mitigations that harden systems against recurrence, and document everything to standard within tight notification timelines.
You’ll support one of the Department of Defense’s largest enterprise environments, spanning approximately 15,000 network and endpoint devices, hundreds of mission applications, and globally deployed identity management systems.
Candidates with an incident response, SOC, DFIR, threat hunting, or cybersecurity analyst background are strongly encouraged to apply. This role is classified under a contract labor category as Network Engineer; the work is cyber incident response and analysis, not network engineering. You must be able to support an after-hours on-call rotation as part of 24x7 CIRT coverage.
What You Will Do
Incident Investigation, Containment & Eradication (~35%)
- Participate as a member of the CIRT, conducting technical investigations into cybersecurity events and incidents
- Provide facts, technical detail, and risk-reduction methods to drive containment, eradication, and recovery
- Implement mitigation techniques and corrective actions to harden systems against recurrence, and follow up to ensure changes are completed
Playbooks, SOAR & Automation (~20%)
- Develop and maintain incident response Tactics, Techniques, and Procedures (TTPs) and playbooks — key tasks, tools, decision points, and escalation paths
- Integrate SOAR automation into response workflows to accelerate triage, enrichment, and response
- Incorporate lessons learned, after-action reports, and table-top results into continuous TTP and playbook improvement
Reporting & Notification (~20%)
- Notify and report cybersecurity events and incidents within required timeframes (CJCSM 6510.01B and incident-response SOPs)
- Complete closure notes and incident reports within established timelines, categorizing events and incidents correctly
- Produce weekly event/incident summaries and keep government cybersecurity leadership informed of major incidents
Coordination, Forensics & Exercises (~25%)
- Coordinate with DoD Cyber Service Providers (CSSPs) and higher cyber commands for incident triage, mitigation, and forensic analysis, including chain-of-custody duties
- Serve as primary point of contact for externally reported incidents and perform correlation analysis across incidents
- Plan and run incident response drills and table-top exercises to test and continuously improve the incident response plan
Required Qualifications
- Active Secret clearance preferred. Candidates who are eligible to obtain the required background investigation are encouraged to apply.
- U.S. citizenship (required for CAC and DoD network access)
- Ability to support an after-hours on-call rotation as part of 24x7 CIRT coverage (one-hour recall)
- 3+ years of experience in cyber incident response, SOC analysis, or digital forensics and incident response (DFIR)
- Hands-on experience investigating, containing, and remediating security incidents
- Experience with SIEM and SOAR platforms (e.g., Splunk, Microsoft Sentinel, Elastic, Palo Alto Cortex XSOAR, or similar)
- Working knowledge of attacker tactics and the incident response lifecycle, including the MITRE ATT&CK framework
- Strong technical writing for incident reports, TTPs, and notifications under tight timelines
- CompTIA Security+ (or ability to obtain within 30 days of start) to meet the DoD 8140/8570 baseline
Preferred Qualifications
- Experience on a DoD or federal CIRT/CSIRT coordinating with Cyber Service Providers (CSSPs) and higher cyber commands
- Hands-on SOAR automation development (e.g., Cortex XSOAR, Splunk SOAR/Phantom, Tines, or similar)
- Digital forensics or malware analysis experience, including chain-of-custody handling
- Familiarity with CJCSM 6510.01B incident categorization and DoD incident reporting requirements
- Alignment to DCWF Work Role 531 (Cyber Defense Incident Responder); certifications such as GCIH, GCFA, CySA+, or CEH
- Familiarity with endpoint detection and response (EDR) and tools such as Tanium, Trellix, or Palo Alto firewalls/IPS
- Experience supporting a large-scale DoD IT operations program in a federal/DoD environment
Why Join Cornerstone?
Cornerstone Technology Enterprises is a veteran-owned small business with deep experience supporting federal and defense missions. Our teams operate inside production environments, supporting systems that matter, while maintaining a culture that values trust, accountability, and technical excellence.
This role puts you on the team that responds when it matters most — containing threats, driving clean recovery, and hardening the enterprise so the same thing does not happen twice. It is a chance to sharpen your incident response and DFIR skills on a national-level DoD mission, working alongside Cyber Service Provider and cyber-command partners across the defense community.
Pay: $90,000.00 - $100,000.00 per year
Benefits:
- 401(k)
- 401(k) matching
- Dental insurance
- Employee discount
- Flexible spending account
- Health insurance
- Health savings account
- Life insurance
- Paid time off
- Retirement plan
- Vision insurance
Application Question(s):
- This role is part of a 24x7 CIRT with an after-hours on-call rotation and one-hour recall. Are you able and willing to support that?
- Due to U.S. Government contract requirements, this position requires U.S. citizenship and eligibility for a Secret security clearance. Do you meet these requirements?
License/Certification:
- CompTIA Security+ (Required)
Security clearance:
Work Location: Remote