Incident Report Lead

Herndon, VA

Full Time

Mid Level

ISI Defense is seeking a cleared, mission-driven Incident Response Lead to lead and scale our IR operations across both internal environments and our Managed Services client base. This role combines deep technical hands-on response with high-stakes coordination across cross-functional teams, multiple departments, legal, ISI stakeholders, and external partners.

As the Incident Response Lead, you will serve as our go-to expert when the signal hits. You’ll shape how we detect, contain, investigate, and recover from incidents—while maturing the processes that power our growing SOC.

You’ll be our first call when an incident escalates, leading both the hands-on technical response and the cross-functional collaboration required to mitigate threats and drive systemic improvement.

Key Responsibilities

Incident Response & Investigation
Act as incident commander during security events, owning containment, triage, forensic investigation, and root cause analysis.
Work directly with SOC Analysts, Support teams, Engineering leads, and Compliance during investigations.
Perform hands-on analysis containment, endpoint analysis, log review, and threat validation using Microsoft Defender, Sentinel, and PowerShell.
Coordination & Stakeholder Management
Serve as incident commander—owning IR communication flow across executive, technical, and legal stakeholders during active investigations.
Coordinate with external IR firms, insurance brokers and legal counsel during privileged investigations.
Liaise with our SOC, Engineering, Support and Compliance teams to drive effective response and recovery.
Detection, Playbooks & Threat Hunting
Develop and tune Sentinel analytics rules, Defender policies, and response workflows.
Create and maintain incident response playbooks, tabletop exercises, and AAR processes.
Lead proactive threat hunting activities across tenant environments.
Track emerging TTPs and continuously refine detections and hunting logic.

Qualifications:

This position requires applicants to have current, interim eligibility or previous security clearance.

Candidates must have held or currently hold a clearance, or have documented eligibility based on a favorable background investigation.
Interim clearances will be accepted for consideration.
All clearances are encouraged to apply.
U.S. citizenship is required by federal regulation.

Applicants without any of the above will not be considered at this time due to contract requirements.

5+ years of hands-on incident response and investigation experience across cloud and on-premise environments.
Strong working knowledge of Microsoft Defender suite, Sentinel, PowerShell, and endpoint/cloud forensics.
Proven ability to lead investigations from triage through containment and recovery.
Proven ability to deliver clear and concise incident reporting to technical and executive stakeholders, including RCA and threat narratives.
Experience coordinating with cross-functional teams—including DevOps, Engineering, Support, and Helpdesk—during real-time IR scenarios.
Familiarity with CMMC 2.0, NIST 800-171, NIST 800-61, and IR planning under regulatory oversight.
Preferred Certifications (any of the following):
GCIH, GCFA, GCIA, or similar GIAC certifications
CISSP, CISM, or CRISC for strategic oversight
Microsoft Certified: Cybersecurity Architect Expert, SC-200, or SC-300
Active or previous U.S. security clearance (Secret or above) a strong plus

Tools & Technologies You’ll Use

Cloud-native SIEM and endpoint protection platforms
Enterprise-grade EDR/XDR solutions
Scripting and query languages (e.g., PowerShell, KQL)
Unified audit logging and identity protection tools
Mobile device management (MDM) and data governance platforms
Secure backup and recovery platforms
PSA and RMM tools for ticketing, automation, and endpoint visibility
Threat intelligence and privileged access management platforms
Vulnerability management and asset inventory tools

What we offer:

Competitive salary range: $120,000-$135,000
Comprehensive benefits package, including generous PTO.
Flexible hybrid work schedule.
Opportunities for professional growth and training.
A collaborative and innovative company culture that values teamwork and continuous improvement.

Why Join ISI Defense?
At ISI Defense, your work protects national security every day. You’ll lead the charge on cyber resilience—building and leading IR processes that span multiple teams, technologies, and mission sets. You’ll help shape our next-gen SOC, directly support CMMC and FedRAMP initiatives, and work with leadership that sees cybersecurity as core to the business.

Apply for this position

Required*

First Name*

Last Name*

Email Address*

Phone*

Address*

Resume*

We've received your resume. Click here to update it.

Attach resume or Paste resume

Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or Paste resume

Paste your resume here or Attach resume file

What's your citizenship / employment eligibility?*

LinkedIn Profile URL:

Are you a US Citizen?*

Do you have an active clearance, Secret or above?*

If no active clearance, have you held a clearance previously and are you still clearable?*

Are you willing to visit Herndon, Virginia (compensated and travel paid for and/or reimbursed) on your first day of employment to pickup your laptop and verify bring your I9 verification documents for confirmation?*

The following questions are entirely optional.

Invitation for Job Applicants to Self-Identify as a U.S. Veteran

A “disabled veteran” is one of the following:
- a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or
- a person who was discharged or released from active duty because of a service-connected disability.
A “recently separated veteran” means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.
An “active duty wartime or campaign badge veteran” means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.
An “Armed forces service medal veteran” means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran status

I IDENTIFY AS ONE OR MORE OF THE CLASSIFICATIONS OF PROTECTED VETERAN LISTED ABOVE
I AM NOT A PROTECTED VETERAN
I DON’T WISH TO ANSWER

Voluntary Self-Identification of Disability

Voluntary Self-Identification of Disability Form CC-305
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

Alcohol or other substance use disorder (not currently using drugs illegally)
Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
Blind or low vision
Cancer (past or present)
Cardiovascular or heart disease
Celiac disease
Cerebral palsy
Deaf or serious difficulty hearing
Diabetes
Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
Epilepsy or other seizure disorder
Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
Intellectual or developmental disability
Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
Missing limbs or partially missing limbs
Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
Partial or complete paralysis (any cause)
Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
Short stature (dwarfism)
Traumatic brain injury

Please check one of the boxes below:

YES, I HAVE A DISABILITY, OR HAVE HAD ONE IN THE PAST NO, I DO NOT HAVE A DISABILITY AND HAVE NOT HAD ONE IN THE PAST I DO NOT WANT TO ANSWER

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

You must enter your name and date
Name	Date

Human Check*

Submit Application

Thanks for visiting our Career Page!

Incident Report Lead

Apply for this position