We are looking for a technically sharp and investigatively minded DFIR Analyst to join a specialist cybersecurity team. In this role, you will sit at the intersection of forensic investigation and live incident response — conducting deep-dive analysis across a wide range of environments while helping to contain and remediate active threats. If you thrive under pressure, think like an adversary, and bring rigour to every investigation, this role is built for you.
What You'll Do
- Lead and support end-to-end incident response engagements, from initial triage through to containment, eradication, and post-incident review
- Conduct forensic acquisition and analysis of digital artefacts across endpoints, servers, and network infrastructure
- Investigate security incidents involving malware infections, data exfiltration, unauthorised access, and insider threats
- Perform memory forensics, log analysis, and timeline reconstruction to establish attack chains and attribute threat activity
- Analyse malicious code and attacker tooling to understand techniques, tactics, and procedures (TTPs)
- Hunt for indicators of compromise (IOCs) and signs of persistent threat actor activity across environments
- Produce clear, well-structured investigation reports for both technical and non-technical audiences
- Contribute to the continuous improvement of DFIR playbooks, detection logic, and response procedures
- Collaborate with threat intelligence and security operations teams to enrich investigations with broader adversarial context
What We're Looking For
- Hands-on experience in digital forensics and/or incident response, with exposure to both disciplines preferred
- Proficiency with industry-standard DFIR tooling — such as EnCase, FTK, Velociraptor, KAPE, Volatility, or equivalent
- Strong understanding of operating system internals (Windows and/or Linux) and how attackers leverage them
- Familiarity with the MITRE ATT&CK framework and its practical application in investigations
- Experience working with SIEM platforms and EDR solutions in an investigative capacity
- Ability to analyse network traffic, logs, and system artefacts to reconstruct events and determine scope of compromise
- Strong written communication skills, with the ability to convey complex technical findings clearly
- Relevant certifications such as GCFE, GCFA, GCIH, GNFA, or equivalent are advantageous
