Cyber Incident Response Analyst

Work Location

Hybrid - in San Antonio, TX OR Austin, TX. Primary location to be assigned by TXCC.

Office Locations:

• SATX Office: 506 Dolorosa Street, San Antonio, TX 78204
• ATX Office: 1001 North Loop, Austin, TX 78757.

Job Description

We are currently seeking a contract Cyber Incident Response Analyst to be a key resource on a technical services team for our client, the Texas Cyber Command (TXCC).

Responsibilities

• Perform advanced incident response across Windows and Linux environments, including triage, containment, eradication, and recovery.
• Conduct host-based forensics, including log analysis, memory capture, file system review, and malware behavior analysis.
• Serve as Incident Commander during cybersecurity events, coordinating actions, documenting decisions, and communicating with leadership and affected agencies.
• Analyze adversary Tactics, Techniques, and Procedures (TTPs) and map findings to MITRE ATT&CK.
• Review and validate alerts from SIEM, IDS/IPS, EDR, and network monitoring tools.
• Produce incident reports, timelines, and executive summaries for statewide stakeholders.
• Support multi-agency response operations, including SLTT partners and critical infrastructure entities.
• Provide recommendations for detection improvements, hardening, and long-term mitigation.
• Participate in post-incident reviews, lessons learned, and playbook updates.
• Maintain readiness for 24x7 response through on-call rotation or surge support.

Qualifications

Minimum Requirements:

5 years of:

• Advanced host‑based forensics across Windows and Linux, including memory, disk, and malware analysis, using telemetry from NetWitness, Gravwell, Google SecOps, and Corelight to validate findings and reconstruct attacker activity.
• Ability to correlate host, network, and intelligence data from CrowdStrike, SentinelOne, Microsoft Sentinel, Corelight, and NetWitness to build complete incident timelines.
• Experience producing high‑quality incident reports and executive summaries using evidence collected from Gravwell, NetWitness, Corelight, and case management workflows.

4 years of:

• Strong understanding of adversary TTPs, intrusion kill chains, and threat hunting methodologies using packet‑level and log‑level data from but not limited to Corelight, NetWitness, and CRIBL pipelines.

3 years of:

• Incident Commander experience

1 year of:

• Experience supporting SLTT or critical infrastructure environments, including multi‑tenant IR operations and cross‑agency coordination.

Preferred:

5 years of:

• Proficiency with threat intelligence platforms, including Recorded Future, ThreatMon, GreyNoise, Google Threat Intelligence, VirusTotal, and Mandiant, to enrich investigations, validate indicators, and map activity to MITRE ATT&CK.
• Hands‑on experience using Cyware CSAP for incident orchestration, automated enrichment, case creation, and workflow execution across SIEM, IPS, EDR, and ticketing systems.

4 years of:

• Security Certifications Preferred (CISSP, CIH, Sec+)

Company Overview

Texas GovLink has been contracted with the Texas State Government, we are a Top Ten ranked vendor, and premier provider of technical and business staffing solutions. Texas GovLink offers its family of consultants excellent rates, a local support staff, and an attractive benefits package which includes medical insurance (TGL shares a percentage of the cost), life insurance, a matching 401(k) plan and a cafeteria plan. Candidates selected for interview will be required to undergo criminal background checks and may be required to complete a drug screen in accordance with Federal and State Law. Offers of Employment are contingent on a successful background check. Texas GovLink is an equal opportunities employer.