What Will You Be Doing?The Lead Incident Responder of Cybersecurity Operations is responsible for investigating, containing, eradicating, and recovering from cybersecurity incidents across the Frontier enterprise environment. This role provides leadership, hands-on incident response, digital forensics, threat analysis, and coordination support during active incidents.
The Lead Incident Responder delivers timely and accurate analysis of internal and external threats using detection and response platforms and collaborates with SOC analysts, threat hunters, IT teams, and management to reduce organizational risk. The scope of the environment includes SIEM, EDR, network security controls, cloud platforms, vulnerability management, and threat intelligence services.
Essential Functions- Monitor, investigate, analyze, respond to, and document cybersecurity incidents identified through detection and response platforms.
- Serve as Incident Commander, when assigned, to run the bridge, track actions/owners, and drive cadence.
- Define severity, business impact, and required engagement level (e.g., Sev1-Sev4), and lead initial triage to determine scope and next actions.
- Execute the full incident response lifecycle: identification, containment, eradication, recovery, and post-incident review
- Perform in-depth alert and event analysis across SIEM, EDR, network, endpoint, and cloud sources
- Collect, preserve, and analyze forensic evidence including logs, disk artifacts, memory artifacts, and network traffic
- Apply threat intelligence, indicators of compromise (IOCs), and adversary tactics and techniques using the MITRE ATT&CK framework
- Escalate incidents to Cybersecurity Operations Management and Incident Response Team members as required
- Support active incident response efforts, tabletop exercises, and threat simulation activities
- Conduct investigative analysis to determine impact, scope, and root cause of security incidents
- Lead the detection engineering feedback loop by converting incident learnings into new detections/use cases (SIEM rules, EDR analytics), tune to reduce false positives, and validate via testing.
- Assist with threat hunting activities to proactively identify malicious activity within the environment
- Validate suspected exploitation of vulnerabilities and support remediation efforts
- Coordinate with IT, application, and infrastructure teams to support containment and recovery actions
- Maintain accurate incident documentation, timelines, and reports
- Develop, coordinate, and maintain playbooks for common cyber-related enterprise events including ransomware, business email compromise, identity compromise, etc.
- Use (and help improve) SOAR playbooks for containment (account disable, host isolation, IOC blocking), enrichment, and reporting.
- Contribute to the development and maintenance of incident response procedures and standard operating procedures (SOPs)
- Participate in after-hours and on-call rotation requirements for cybersecurity incidents
- Provide regular status updates to Cybersecurity Operations Management during investigations
- Coordinate internal/external communications (Legal, Privacy, Comms/PR, HR) following established playbooks.
- Coordinate with MSSP/IR retainer and key vendors as needed during active incidents
- Track and report MTTA/MTTR, dwell time, containment time, recurrence, and lessons learned; contribute to operational reporting.
Qualifications- Bachelor's degree in computer science, information technology, cybersecurity, or equivalent combination of education and relevant experience (required)
- 5-10 years of relevant cybersecurity or IT operations experience (required)
- 4+ years of hands-on incident response or security operations experience (required)
- Experience working with enterprise cybersecurity tools such as SIEM, EDR, IDS/IPS, vulnerability management, and threat intelligence platforms
- Experience analyzing adversary tactics and techniques using the MITRE ATT&CK framework
- Familiarity with cybersecurity standards and frameworks such as NIST CSF, NIST 800-61, and PCI DSS (desired)
Knowledge, Skills and Abilities- Strong understanding of incident response processes and investigative methodologies
- Proficiency in SIEM platforms (e.g., Splunk, Microsoft Sentinel, QRadar, or similar)
- Hands-on experience with endpoint detection and response (EDR) tools such as SentinelOne, CrowdStrike, or Microsoft Defender
- Ability to analyze and correlate logs from firewalls, endpoints, servers, SaaS platforms, and cloud environments
- Proficiency in network traffic and packet analysis using tools such as Wireshark
- Working knowledge of malware triage and basic static/dynamic analysis techniques
- Understanding of Active Directory, identity-based attacks, and authentication workflows
- Knowledge of Windows and Linux operating systems and common attack vectors
- Ability to apply threat intelligence and OSINT to incident investigations
- Strong analytical and problem-solving skills with attention to detail
- Ability to communicate clearly and effectively, both verbally and in writing
- Ability to work independently and collaboratively in a fast-paced, high-pressure environment
- Willingness to support after-hours and weekend on-call rotation
Certifications (Preferred)- CompTIA Security+
- CompTIA CySA+
- GIAC Certified Incident Handler (GCIH)
- GIAC Intrusion Analyst (GCIA)
- GIAC Certified Enterprise Defender (GCED)
- CEH
- Microsoft SC-200 or cloud security certifications (Azure/AWS)
Equipment OperatedLaptop endpoint running Windows and a variety of commercial and open-source cybersecurity tools
Work Environment- Hybrid work environment (in-office and remote), subject to change
- Requires participation in on-call rotation for after-hours and weekend incident response
Physical EffortLight physical effort required by handling objects up to 20 pounds occasionally and/or up to 10 pounds frequently.
Supervision ReceivedGeneral Direction: The incumbent normally receives little instruction on day-to-day work and receives general instructions on new assignments.
Salary Range:
$110,114 - $146,157. Please note: this posting has a closing date of on or before midnight 8.31.26 MT.
Positions SupervisedNone
Workplace PoliciesDisclaimer: The above statements are intended only to describe the general nature and level of work required of the referenced position; they are not intended to be an exhaustive list of all responsibilities, duties, and skills required of individuals in this position. Please be advised that duties and expectations of this position may be subject to change.