Incident Report Lead

ISI Defense is seeking a cleared, mission-driven Incident Response Lead to lead and scale our IR operations across both internal environments and our Managed Services client base.

This role combines deep technical hands-on response with high-stakes coordination across cross-functional teams, multiple departments, legal, ISI stakeholders, and external partners.  As the Incident Response Lead, you will serve as our go-to expert when the signal hits.

You’ll shape how we detect, contain, investigate, and recover from incidents—while maturing the processes that power our growing SOC.  You’ll be our first call when an incident escalates, leading both the hands-on technical response and the cross-functional collaboration required to mitigate threats and drive systemic improvement.  Key Responsibilities  Incident Response & Investigation  Act as incident commander during security events, owning containment, triage, forensic investigation, and root cause analysis.  Work directly with SOC Analysts, Support teams, Engineering leads, and Compliance during investigations.  Perform hands-on analysis containment, endpoint analysis, log review, and threat validation using Microsoft Defender, Sentinel, and PowerShell.  Coordination & Stakeholder Management  Serve as incident commander—owning IR communication flow across executive, technical, and legal stakeholders during active investigations.  Coordinate with external IR firms, insurance brokers and legal counsel during privileged investigations.  Liaise with our SOC, Engineering, Support and Compliance teams to drive effective response and recovery.  Detection, Playbooks & Threat Hunting  Develop and tune Sentinel analytics rules, Defender policies, and response workflows.  Create and maintain incident response playbooks, tabletop exercises, and AAR processes.  Lead proactive threat hunting activities across tenant environments.  Track emerging TTPs and continuously refine detections and hunting logic.  Qualifications :

• This position requires applicants to have current, interim eligibility or previous security clearance.
• Candidates must have held or currently hold a clearance, or have documented eligibility based on a favorable background investigation.
• Interim clearances will be accepted for consideration.

All clearances are encouraged to apply.

Applicants without any of the above will not be considered at this time due to contract requirements. 5+ years of hands-on incident response and investigation experience across cloud and on-premise environments.  Strong working knowledge of Microsoft Defender suite, Sentinel, PowerShell, and endpoint / cloud forensics.  Proven ability to lead investigations from triage through containment and recovery.  Proven ability to deliver clear and concise incident reporting to technical and executive stakeholders, including RCA and threat narratives.  Experience coordinating with cross-functional teams—including DevOps, Engineering, Support, and Helpdesk—during real-time IR scenarios.  Familiarity with CMMC 2.0, NIST 800-171, NIST 800-61, and IR planning under regulatory oversight.  Preferred Certifications (any of the following) :