SOC CIRT Team Lead - SME

Job Description

Position Summary
ECS is seeking a SOC CIRT Team Lead - SME to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. This position supports Task 3 - Cybersecurity Operations Support - by leading cyber incident response activities across the ARNG enterprise and directing investigation, containment, eradication, recovery, reporting, and post-incident analysis. The SOC CIRT Team Lead serves as a senior response lead within ENOCS' broader cybersecurity operations construct, coordinating with SOC monitoring and analysis personnel, forensic and malware analysts, engineers, and compliance/RMF teams to strengthen Defensive Cyberspace Operations - Internal Defensive Measures (DCO-IDM) outcomes across the DoDIN-Army-NG area of responsibility.

This role directly supports a mission environment delivering DoDIN services to more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories, including support to Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The SOC CIRT Team Lead operates within a technical environment that includes 24x7x365 SOC operations, Unified Security Information & Event Management (USIEM) analytics, EDR, SOAR, IDS/IPS event integration, DLP/C2C analytics, and coordination with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, RCCs, and other mission stakeholders to ensure timely incident response and continuous improvement of ARNG cyber defenses.

Please Note: This position is contingent upon contract award.
Responsibilities

• Lead cyber incident response activities by directing investigation, containment, eradication, and recovery actions for security events affecting ARNG classified and unclassified network environments.
• Coordinate Cyber Incident Response Team activities with SOC monitoring and analysis functions to ensure incidents are properly triaged, escalated, documented, and resolved in accordance with ARNG and DoD cybersecurity policy.
• Manage forensic and malware analysis efforts to determine incident scope, identify adversary tactics, techniques, and procedures, and support effective remediation and recovery actions.
• Oversee incident communications and escalation, ensuring timely coordination with internal stakeholders and external organizations as required by severity, mission impact, and reporting criteria.
• Produce incident reports, after-action reviews, and lessons-learned artifacts that improve detection engineering, response procedures, and continuous monitoring across the ENOCS cyber operations mission set.
• Coordinate with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCC stakeholders, as applicable, to support incident analysis, notification, and remediation activities across the DoDIN-Army-NG AOR.
• Leverage operational data from USIEM, EDR, IDS/IPS, and related analytics sources to support incident scoping, response decision-making, and post-incident defensive improvements.
• Ensure required documentation and reporting are completed in support of Task 3 deliverables for cyber incident response and digital media analysis, while maintaining alignment with continuous monitoring and RMF-related evidence needs.
• Support the refinement of response playbooks, escalation procedures, and threat-informed defensive processes to improve the speed and quality of ARNG incident response operations.

Required Skills

Required Qualifications
U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder - Advance proficiency; must hold ONE OR MORE of the following: CFR, CySA+, GCFA, GCIA, GICSP

Experience: 12+ years of experience in cybersecurity

Education: Masters degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Demonstrated ability to lead cyber incident response activities spanning investigation, containment, eradication, and recovery.
• Experience managing incident communications, escalation actions, and required reporting through all phases of the response lifecycle.
• Experience coordinating forensic analysis and malware analysis activities to support incident scoping, evidence development, and remediation.
• Ability to produce complete incident documentation, after-action reporting, and lessons-learned artifacts that inform continuous improvement.
• Experience operating in a 24x7x365 SOC and cyber defense environment supporting enterprise-scale monitoring and response operations.
• Familiarity with continuous monitoring requirements and maintaining documentation aligned to DoD and ARNG cybersecurity policy.
• Experience working with enterprise security analytics and response capabilities such as SIEM, EDR, IDS/IPS, and related case management workflows.
• Ability to coordinate effectively with cyber operations stakeholders, engineers, watch personnel, and leadership across a distributed enterprise environment.

Desired Skills

Desired Qualifications
Security Clearance: Active Secret (preferred)

• Experience supporting DoD or Army cyber incident response operations within both classified and unclassified enclaves, including SIPRNet-related operational environments.
• Experience using or supporting USIEM-centered operations and integrating alerts or evidence from EDR, SOAR, IDS/IPS, DLP, or C2C analytics.
• Familiarity with MITRE ATT&CK-based incident analysis and its use in strengthening detections and defensive response actions.
• Experience coordinating incident reporting and remediation with organizations such as NETCOM, ARCYBER, USCYBERCOM, DISA, or RCC stakeholders.
• Experience producing lessons learned that inform detection engineering, playbook updates, and broader DCO-IDM process improvement across enterprise cybersecurity operations.

ECS Federal LLC is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

Everforth ECS is the federal segment of Everforth , a $4B global organization with over 10,000 employees. Our nearly 3,500 professionals deliver advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, serving defense, intelligence, and federal civilian agencies.

Our work powers mission-critical outcomes, strengthens technology partnerships, and creates meaningful opportunities for our people. We are defined by a commitment to excellence in delivery, a culture of innovation, and an environment where talent can thrive and grow.

We value:

• Attracting and developing top talent and high-performing teams
• Fostering a culture that is engaging, accountable, and mission-driven