Cybersecurity analyst

We are hiring a hands-on DFIR practitioner to investigate account compromises, harden infrastructure, and
produce evidence-grade documentation across a portfolio of brands. This is not generic IT support. We need
L2/L3 SOC thinking, threat hunting, account takeover investigation, and forensic discipline.
Scope of Responsibility
• Forensic investigation of suspected account compromises with chain-of-custody preservation
• Hardening of accounts, devices, websites, DNS, and email across all platforms in scope
• Endpoint review on macOS, iOS, and Windows for persistence, malware, remote access
• Email authentication (SPF, DKIM, DMARC) and OAuth grant audits
• Dark web exposure analysis and credential rotation
• MFA/2FA architecture with hardware keys (YubiKey or comparable)
• Final evidence package suitable for legal, insurance, or vendor escalation
• Optional retainer for monitoring, i ---------- response on-call, and quarterly review
Required Experience
• Hands-on DFIR experience — verifiable case studies required
• Account compromise investigation across Google Workspace, Microsoft 365, Apple ID
• Email security: SPF, DKIM, DMARC, mailbox rules, OAuth audit
• Endpoint forensics on macOS, iOS, and Windows
• WordPress security and i ---------- response
• Cloudflare, DNS, and registrar-level security
• Evidence preservation methodology
• Reporting suitable for non-technical founders, legal, and insurance
Tools You Should Know
KAPE, Velociraptor, Autopsy, or comparable DFIR tooling. osquery, YARA, ClamAV, EDR platforms. Google
Workspace and Microsoft 365 admin consoles. Cloudflare, Wordfence, Sucuri. Bitwarden, 1Password,
YubiKey, HaveIBeenPwned, SpyCloud. Certifications preferred: GCFE, GCIH, GCFA, CISSP, or OSCP.
Professional Standards & Expectations
• Daily: Progress updates during scheduled hours; respond within stated SLA
• Weekly: Written report covering work shipped, blockers, metrics, next priorities
• Per deliverable: Loom walkthrough and documented SOP
• Quality: Work is considered complete only when functional, tested, documented, and approved
• Communication: Direct, professional, accountable — no hand-holding required
Engagement Terms
• Type: Long-term, ongoing engagement across a portfolio of brands — not a one-off project
• Structure: Retainer, hourly, hybrid, or milestone-based — open to discussion
• Compensation: Competitive and aligned with demonstrated expertise. Propose your structure and rate in
your application
• Performance: Bonuses available on top of base, tied to documented results
• Term: 90-day initial engagement, quarterly renewal based on results
• Growth path: Expanded scope, leadership role, or equity-aligned partnership available for high performers
Application Requirements
Incomplete applications will not be reviewed. Every item below is mandatory.
• Resume / CV (PDF only)
• LinkedIn profile URL (active, public, with documented history)
• Portfolio or work samples as specified below
• Loom or video introduction (5–10 minutes)
• Written response to the sample task below
• Two (2) verifiable references — must be reachable
• Internet speed screenshot (minimum 50 Mbps down / 10 Mbps up)
• Stated time zone, availability, and earliest start date
• Your proposed compensation structure with rationale
Portfolio Requirements
Submit at least two (2) redacted prior DFIR engagements (account compromise, BEC, ransomware, or similar).
For each: type of i ---------- , methodology, tools used, artifacts collected, findings, remediation, and final
deliverable type. Generic IT support history will not be considered.
Sample Task
A small business reports suspicious activity on their Google Workspace: unexpected forwarding rules, a few
sent emails they don't remember sending, and a strange OAuth grant. They also use Apple devices, have
WordPress on shared hosting, and use 1Password but without MFA enforced. In 300–500 words: what are the
first five actions you take, in what order, and why? What artifacts do you preserve before making any changes?
What This Role Is Not
• Not basic IT support or antivirus cleanup
• Not generic SOC monitoring without investigation capability
• Not a one-call advisory engagement
• Not a role for someone who has only worked in large enterprise SOCs
How to Apply
The first line of your application must read: DFIR OPERATOR
Applications without this keyword will not be reviewed. This is our first filter. It identifies candidates who actually
read the posting end-to-end.