Position Summary

This position supports Task 3 - Cybersecurity Operations Support - by assisting cyber incident response investigations through evidence collection, forensic acquisition, analysis of host and network artifacts, malware triage, root-cause analysis, containment support, recovery validation, and incident documentation. The role works closely with ENOCS cybersecurity operations personnel, including SOC, CIRT, watch officers, engineers, and analysts, to help deliver Defensive Cyberspace Operations - Internal Defensive Measures (DCO-IDM) across the DoDIN-Army-NG area of responsibility.

Please Note: This position is contingent upon contract award.

This role contributes to the protection of ARNG classified and unclassified network environments that support more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories. The SOC CIRT Technician - Journeyman helps sustain cyber readiness for Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations by supporting incident handling within a 24x7x365 cybersecurity enterprise. Work is performed in coordination with the broader ENOCS cyber ecosystem, including the NETCOM Global Cyber Center, DISA DCDC, USIEM-enabled monitoring and analytics, EDR-supported investigations, and continuous monitoring and reporting processes aligned to DoD and ARNG policy.

Responsibilities

• Perform evidence collection and forensic acquisition activities in support of cyber incident response investigations involving host and network artifacts.
• Analyze collected artifacts to support incident scoping, malware triage, root-cause determination, containment actions, and recovery validation.
• Document investigative actions, technical findings, and incident updates in authorized incident tracking and case management systems.
• Support preparation of incident reports, after-action documentation, and related artifacts required for continuous monitoring and ARNG cybersecurity reporting.
• Coordinate incident response activities with SOC personnel, watch officers, and service owners to support timely escalation, analysis, and resolution of cybersecurity events.
• Assist with investigations informed by USIEM detections, integrated SIEM/C2C/DLP analytics, and EDR telemetry to improve visibility and response across ARNG network environments.
• Support incident coordination and reporting actions aligned with ENOCS Task 3 deliverables and in collaboration with external organizations such as the NETCOM Global Cyber Center and DISA DCDC.
• Contribute to post-incident analysis that strengthens enterprise defenses across ARNG classified and unclassified enclaves, including support to lessons learned and recovery validation.
• Maintain records and supporting documentation in accordance with DoD and ARNG cybersecurity policy, continuous monitoring requirements, and established incident response procedures.

Required Qualifications

U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder - Basic proficiency; must hold ONE OR MORE of the following: CC, GDSA, GISF

Experience: 3+ years of experience in cybersecurity

• Experience supporting cyber incident investigations involving host-based and network-based evidence collection.
• Experience performing forensic acquisition and technical analysis to support incident scoping, containment, and recovery activities.
• Experience documenting investigative actions, findings, and response status in formal tracking or case management systems.
• Familiarity with malware triage, root-cause analysis, and after-action reporting in operational cybersecurity environments.
• Ability to support continuous monitoring and reporting requirements in alignment with DoD and ARNG cybersecurity policy.
• Experience collaborating with incident response, SOC, and cybersecurity operations personnel during active event handling.
• Working familiarity with classified and unclassified network security operations environments.