SOC CTIC Lead - SME

Job Description

Position Summary
ECS is seeking a SOC CTIC Lead - SME to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. In this role, you will support Task 3 - Cybersecurity Operations Support by conducting and leading cyber incident response activities for the ARNG enterprise, including evidence collection, forensic acquisition, analysis of host and network artifacts, malware triage, root-cause analysis, containment support, recovery validation, and incident documentation. The position works as part of ENOCS' broader cybersecurity operations construct, coordinating with SOC analysts, Cyber Incident Response Team (CIRT) personnel, watch officers, engineers, and service owners to strengthen defensive cyberspace operations across classified and unclassified environments.

This role directly supports ENOCS' mission to defend the DoDIN-Army-NG area of responsibility serving more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories. The SOC CTIC Lead - SME contributes to cybersecurity operations that enable Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations by helping detect, investigate, contain, and document cyber incidents. The position operates within an environment that uses USIEM analytics, EDR, IDS/IPS, SOAR, Zeek metadata, Sysmon-informed MITRE ATT&CK analysis, and eMASS-supported continuous monitoring, while coordinating with organizations such as the NETCOM Global Cyber Center and DISA DCDC to maintain enterprise cyber freedom of action.

Please Note: This position is contingent upon contract award.
Responsibilities

• Conduct cyber incident response investigations through evidence collection, forensic acquisition, and analysis of host and network artifacts in support of ARNG defensive cyberspace operations.
• Perform malware triage and root-cause analysis to determine incident scope, identify affected systems, and support containment and recovery actions.
• Document investigative actions, technical findings, and incident outcomes in incident tracking and case management systems to support reporting, governance, and after-action requirements.
• Support recovery validation by verifying remediation actions, confirming restoration status, and helping ensure incidents are fully resolved before closure.
• Coordinate incident handling activities with SOC Tier 2 personnel, CIRT, watch officers, problem and change processes, and other cybersecurity operations stakeholders as required.
• Leverage security data and enterprise monitoring outputs from environments such as USIEM, EDR, IDS/IPS, and related analytics to support investigation, correlation, and incident determination.
• Apply MITRE ATT&CK-informed analysis and available telemetry such as Sysmon and Zeek metadata to help identify adversary tactics, techniques, and procedures and improve incident understanding.
• Support coordination and reporting associated with incidents affecting ARNG classified and unclassified enclaves, including environments tied to SIPRNet operations and broader DoDIN-A(NG) mission support.
• Assist with post-incident reporting and lessons learned documentation to strengthen continuous monitoring, improve defensive measures, and inform follow-on cyber defense activities.
• Coordinate, as needed, with external mission partners and cyber organizations identified in ENOCS operations, including the NETCOM Global Cyber Center and DISA DCDC, in accordance with incident handling procedures.

Required Skills

Required Qualifications
U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder - Intermediate proficiency; must hold ONE OR MORE of the following: CEH(P), ECIH, GRID, RCCE Level 1, CBROPS, CCSP, CEH, Cloud+, FITSP-O, GCED, GCIH, GSEC, PenTest+, Security+

Experience: 7+ years of experience in cybersecurity

Education: Bachelors degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Demonstrated experience performing evidence collection, forensic acquisition, and analysis of host and network artifacts during cyber incident investigations.
• Experience supporting malware triage, technical root-cause analysis, containment actions, and recovery validation in operational cybersecurity environments.
• Ability to produce complete, accurate, and timely incident documentation, technical findings, and after-action reporting aligned to continuous monitoring and cybersecurity operations requirements.
• Experience working within enterprise cybersecurity operations supporting incident escalation, case management, and coordination across analysts, responders, engineers, and service owners.
• Familiarity with cybersecurity monitoring and analysis environments using technologies and data sources referenced in ENOCS operations, including USIEM, EDR, IDS/IPS, and related security telemetry.
• Experience supporting investigations and reporting in environments governed by DoD and ARNG cybersecurity policy, including classified and unclassified operational contexts.
• Ability to analyze security events and artifacts to determine incident scope, affected assets, and recommended response actions across large enterprise environments.
• Experience contributing to lessons learned, remediation follow-up, and continuous improvement activities after cyber incident response actions.

Desired Skills

Desired Qualifications
Security Clearance: Active Secret (preferred)

• Experience supporting cyber operations for large, geographically distributed enterprises serving users and endpoints across multiple sites or regions.
• Familiarity with MITRE ATT&CK-based analysis and use of telemetry such as Sysmon and Zeek metadata to improve threat detection and incident analysis.
• Experience coordinating with Army or DoD cyber organizations such as NETCOM, RCCs, ARCYBER, USCYBERCOM, or DISA in support of incident reporting or response.
• Experience working in environments that include both classified and unclassified enclaves, including support to SIPRNet-related cybersecurity operations.
• Experience contributing to continuous monitoring activities and artifact management in support of RMF or eMASS-related cybersecurity processes.

ECS Federal LLC is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

Everforth ECS is the federal segment of Everforth , a $4B global organization with over 10,000 employees. Our nearly 3,500 professionals deliver advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, serving defense, intelligence, and federal civilian agencies.

Our work powers mission-critical outcomes, strengthens technology partnerships, and creates meaningful opportunities for our people. We are defined by a commitment to excellence in delivery, a culture of innovation, and an environment where talent can thrive and grow.

We value:

• Attracting and developing top talent and high-performing teams
• Fostering a culture that is engaging, accountable, and mission-driven