Security Operations / Incident Response Specialist

Location: Remote, United States
Job Type: Full-Time
Work Arrangement: Remote
Department: Security Operations / Cybersecurity / Threat & Incident Response
Reports To: SOC Manager / Incident Response Lead / Head of Security Operations / CISO

Role Overview

We are seeking a highly alert and detail-oriented Security Operations / Incident Response Specialist to handle threat detection, incident triage, escalation, containment, and response coordination across the organization’s security environment. This role is responsible for monitoring suspicious activity, investigating security events, determining impact, coordinating remediation efforts, and strengthening incident detection and response processes over time.

The ideal candidate has hands-on experience in SOC operations, incident response, or threat operations and is comfortable working with SIEM platforms, EDR tools, alert workflows, security logs, and incident handling processes. This person should be able to assess threats quickly, support effective escalation and containment, maintain strong documentation, and work closely with security, infrastructure, IT, and leadership teams during active incidents and post-incident reviews.

This is a remote USA-based role, suited for someone with strong analytical judgment, calm response discipline, and the ability to operate effectively in fast-moving security situations.

Key Responsibilities

Threat Monitoring & Event Detection

• Monitor suspicious activity, alerts, logs, and security events across endpoints, cloud environments, identity systems, networks, and business platforms
• Review and triage security signals from SIEM, EDR, email security, IAM, firewall, cloud monitoring, and related security tools
• Identify indicators of compromise, unusual patterns, policy violations, and high-risk behaviors requiring investigation
• Prioritize alerts based on severity, credibility, threat context, and potential business impact
• Support continuous monitoring practices that improve visibility into the organization’s threat landscape

Incident Triage & Investigation

• Investigate security incidents and alerts to determine scope, cause, impact, and urgency
• Analyze relevant evidence such as logs, endpoint telemetry, account activity, access patterns, and system behavior
• Distinguish between false positives, low-priority events, and actionable incidents requiring escalation or response
• Support incident classification and severity assessment using established workflows and response criteria
• Document findings clearly and maintain a structured investigative trail for each incident

Containment, Escalation & Remediation Coordination

• Coordinate containment actions to limit impact during active security incidents
• Escalate incidents appropriately to internal teams, technical leads, management, or external partners based on severity and response needs
• Work with IT, cloud, infrastructure, identity, engineering, and business stakeholders to support remediation and recovery
• Help drive response actions such as account lockdowns, endpoint isolation, access revocation, system checks, or evidence preservation
• Ensure response coordination remains timely, structured, and aligned with incident handling standards

Incident Documentation & Post-Incident Support

• Maintain incident logs, investigation notes, evidence records, and post-incident documentation with accuracy and completeness
• Prepare incident summaries, timelines, status updates, and closure records for operational and management review
• Support post-incident reviews, root cause analysis, lessons learned, and follow-up action tracking
• Help ensure incident records are audit-ready, clearly written, and aligned with internal documentation standards
• Contribute to stronger knowledge capture from incidents and recurring security events

Detection & Response Process Improvement

• Improve detection and response processes by identifying gaps, repeated issues, and opportunities to refine workflows
• Recommend improvements to alert tuning, playbooks, escalation criteria, response steps, and investigation quality
• Help strengthen incident readiness through better process structure, documentation, and coordination practices
• Support development and refinement of use cases, response procedures, and security operations standards
• Contribute to continuous improvement of operational security maturity across the environment

Cross-Functional Security Operations Support

• Work with security engineering, GRC, IT, cloud, infrastructure, and leadership teams to support broader security operations
• Help communicate incident status, response priorities, and technical findings to the appropriate audiences
• Support security awareness around recurring threats, attack patterns, and operational vulnerabilities where relevant
• Assist with readiness activities related to incident drills, tabletop exercises, response reviews, or security control validation
• Contribute to a disciplined and collaborative security operations environment

Requirements

• Bachelor’s degree in Cybersecurity, Information Security, Computer Science, Information Systems, or a related field preferred
• Proven experience in SOC operations, incident response, threat operations, or security monitoring
• Familiarity with SIEM, EDR, and incident response workflows
• Strong analytical, triage, and escalation skills
• Experience investigating suspicious activity, alerts, and security incidents across multiple systems or environments
• Ability to assess incident impact, coordinate response, and support remediation efforts
• Strong documentation and incident record-keeping ability
• Good understanding of security operations principles, threat detection, and response coordination
• Ability to work calmly and effectively during active incidents or escalations
• Strong communication and cross-functional coordination skills in a remote environment

Preferred Qualifications

• Experience with SIEM platforms such as Splunk, Microsoft Sentinel, QRadar, Elastic, Sumo Logic, or similar
• Experience with EDR tools such as CrowdStrike, Microsoft Defender, SentinelOne, Carbon Black, or similar
• Familiarity with phishing analysis, endpoint investigations, identity threats, cloud security alerts, or suspicious network activity
• Understanding of common attack techniques, MITRE ATT&CK concepts, incident severity models, and evidence handling practices
• Exposure to SOAR tools, case management platforms, forensic workflows, or threat intelligence sources
• Experience working in regulated environments, enterprise security teams, MSSP environments, or internal SOC structures
• Relevant certifications such as Security+, CySA+, GCIH, GCIA, SC-200, CISSP, or similar are a plus
• Experience participating in after-action reviews, tabletop exercises, or incident simulation activities is advantageous

Core Skills

• Security monitoring
• Incident response
• Threat detection
• Alert triage
• Incident investigation
• Containment coordination
• Escalation management
• SIEM operations
• EDR analysis
• Security documentation
• Post-incident review
• Response process improvement
• Log analysis
• Cross-functional coordination
• Security operations

Key Competencies

• Strong analytical judgment
• Calm decision-making under pressure
• High attention to detail
• Structured investigative thinking
• Strong escalation discipline
• Clear and professional communication
• Strong documentation habits
• Ownership and accountability
• Ability to prioritize effectively
• Continuous improvement mindset

Success Metrics

• Timely and accurate triage of security alerts and suspicious activity
• Effective incident investigation and impact assessment
• Strong coordination of containment and remediation actions
• Clear and complete incident documentation and reporting
• Reduced incident handling gaps through improved workflows and playbooks
• Strong escalation discipline and stakeholder communication during incidents
• Improved detection and response maturity across security operations

Working Conditions

• Fully remote role based in the United States
• Standard business hours aligned with U.S. time zones, with flexibility for incident response needs depending on team structure
• Frequent collaboration with security, infrastructure, IT, cloud, engineering, and management teams through virtual meetings and response workflows
• May support live incidents, escalations, monitoring rotations, or post-incident activities across multiple environments