Incident Responder at cFocus Software Incorporated – Washington, District of Columbia

cFocus Software seeks a n Incident Responder to support the Administrative Offices of the United States Courts (AOUSC) in Washington, DC. This position will require 4 days a week onsite at the Thurgood Marshall Building and 1 day remote with hours of 8am- 4:30pm. Position Overview

The Incident Responder supports the Administrative Office of the U.S. Courts (AOUSC) by delivering advanced cybersecurity incident response and threat hunting services across both cloud and on-premises environments. This role focuses on identifying, analyzing, and mitigating sophisticated cyber threats while strengthening detection capabilities and improving overall security posture.

Key Responsibilities

• Provide incident response support for declared security incidents and proactively hunt for threats not detected through automated systems

• Conduct counterintelligence activities, develop Threat Actor (TA) dossiers, and identify adversary tactics, techniques, and procedures (TTPs)

• Analyze SIEM alerts and security events to determine risk, impact, and appropriate response actions

• Collect and analyze forensic data from compromised systems using EDR tools and custom scripts

• Track and document incidents from initial detection through final resolution

• Respond to government technical requests via ITSM platforms (e.g., HEAT, ServiceNow)

• Perform malware triage and root cause analysis

• Review open-source intelligence for emerging threats and adversary activity

• Collaborate with court IT personnel to troubleshoot and resolve endpoint detection issues

• Participate in after-action reviews and provide recommendations for improving security posture

• Attend Agile Scrum standups and report on assigned Jira tasks

• Review SOC incident reports and recommend enhancements, escalations, or re-evaluations

Required Qualifications

• Minimum of 5 years of experience in incident response across cloud and non-cloud environments, including:

  • Microsoft Azure

  • Microsoft O365

  • Microsoft Active Directory

  • Zscaler

• Minimum of 5 years of experience using Splunk Enterprise Security for incident response

• Minimum of 5 years of experience collecting and analyzing data using:

  • EDR tools (CrowdStrike, Qualys)

  • Custom scripts (e.g., Sysmon, Auditd)

• Experience with the following tools and technologies:

  • Microsoft Sentinel (threat hunting in Azure)

  • Tenable Nessus and SYN/ACK (vulnerability management)

  • NetScout (network traffic analysis)

  • SPUR.us (IP/address enrichment)

  • Mandiant threat intelligence feeds

• Splunk Core Power User certification (required)

• Must possess one of the following certifications:

  • GIAC Certified Intrusion Analyst (GCIA)

  • GIAC Certified Incident Handler (GCIH)

  • GIAC Continuous Monitoring (GMON)

  • GIAC Defending Advanced Threats (GDAT)

• Ability to obtain a Low Risk Public Trust Suitability Determination

Key Deliverables

• QA/Security Analysis review of SOC incident reports

• Threat Actor (TA) IOC assessments

• Web Application Firewall (WAF) rule implementations

• Development of operational templates

• Advanced SME Incident Response support for Priority 1 events (engagement within 4 hours, 24/7/365)

• Comprehensive incident reports including:

  • Executive summary

  • Detailed findings

  • Security impact assessment

  • Timeline of events

  • Actions taken

• Documentation of all work in Jira aligned with Agile processes

• Creation and maintenance of Standard Operating Procedures (SOPs) and security playbooks

Work Environment

This role requires a strong on-site presence (80%) at the AOUSC facility in Washington, DC, and active participation in a collaborative, Agile-based cybersecurity operations environment.