Position Summary

ECS is seeking a SOC CIRT Team Lead - SME to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. This position supports Task 3 - Cybersecurity Operations Support - by leading cyber incident response activities across the ARNG enterprise and directing investigation, containment, eradication, recovery, reporting, and post-incident analysis. The SOC CIRT Team Lead serves as a senior response lead within ENOCS' broader cybersecurity operations construct, coordinating with SOC monitoring and analysis personnel, forensic and malware analysts, engineers, and compliance/RMF teams to strengthen Defensive Cyberspace Operations - Internal Defensive Measures (DCO-IDM) outcomes across the DoDIN-Army-NG area of responsibility.

This role directly supports a mission environment delivering DoDIN services to more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories, including support to Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The SOC CIRT Team Lead operates within a technical environment that includes 24x7x365 SOC operations, Unified Security Information & Event Management (USIEM) analytics, EDR, SOAR, IDS/IPS event integration, DLP/C2C analytics, and coordination with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, RCCs, and other mission stakeholders to ensure timely incident response and continuous improvement of ARNG cyber defenses.

Please Note: This position is contingent upon contract award.

Responsibilities

• Lead cyber incident response activities by directing investigation, containment, eradication, and recovery actions for security events affecting ARNG classified and unclassified network environments.
• Coordinate Cyber Incident Response Team activities with SOC monitoring and analysis functions to ensure incidents are properly triaged, escalated, documented, and resolved in accordance with ARNG and DoD cybersecurity policy.
• Manage forensic and malware analysis efforts to determine incident scope, identify adversary tactics, techniques, and procedures, and support effective remediation and recovery actions.
• Oversee incident communications and escalation, ensuring timely coordination with internal stakeholders and external organizations as required by severity, mission impact, and reporting criteria.
• Produce incident reports, after-action reviews, and lessons-learned artifacts that improve detection engineering, response procedures, and continuous monitoring across the ENOCS cyber operations mission set.
• Coordinate with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCC stakeholders, as applicable, to support incident analysis, notification, and remediation activities across the DoDIN-Army-NG AOR.
• Leverage operational data from USIEM, EDR, IDS/IPS, and related analytics sources to support incident scoping, response decision-making, and post-incident defensive improvements.
• Ensure required documentation and reporting are completed in support of Task 3 deliverables for cyber incident response and digital media analysis, while maintaining alignment with continuous monitoring and RMF-related evidence needs.
• Support the refinement of response playbooks, escalation procedures, and threat-informed defensive processes to improve the speed and quality of ARNG incident response operations.

Required Qualifications

U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder - Advance proficiency; must hold ONE OR MORE of the following: CFR, CySA+, GCFA, GCIA, GICSP

Experience: 12+ years of experience in cybersecurity

Education: Masters degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Demonstrated ability to lead cyber incident response activities spanning investigation, containment, eradication, and recovery.
• Experience managing incident communications, escalation actions, and required reporting through all phases of the response lifecycle.
• Experience coordinating forensic analysis and malware analysis activities to support incident scoping, evidence development, and remediation.
• Ability to produce complete incident documentation, after-action reporting, and lessons-learned artifacts that inform continuous improvement.
• Experience operating in a 24x7x365 SOC and cyber defense environment supporting enterprise-scale monitoring and response operations.
• Familiarity with continuous monitoring requirements and maintaining documentation aligned to DoD and ARNG cybersecurity policy.
• Experience working with enterprise security analytics and response capabilities such as SIEM, EDR, IDS/IPS, and related case management workflows.
• Ability to coordinate effectively with cyber operations stakeholders, engineers, watch personnel, and leadership across a distributed enterprise environment.