SOC CTIC Lead - SME

SOC CTIC Lead - SME

ECS is seeking a SOC CTIC Lead - SME to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. In this role, you will support Task 3 — Cybersecurity Operations Support by conducting and leading cyber incident response activities for the ARNG enterprise, including evidence collection, forensic acquisition, analysis of host and network artifacts, malware triage, root-cause analysis, containment support, recovery validation, and incident documentation. The position works as part of ENOCS' broader cybersecurity operations construct, coordinating with SOC analysts, Cyber Incident Response Team (CIRT) personnel, watch officers, engineers, and service owners to strengthen defensive cyberspace operations across classified and unclassified environments.

This role directly supports ENOCS' mission to defend the DoDIN-Army-NG area of responsibility serving more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories. The SOC CTIC Lead - SME contributes to cybersecurity operations that enable Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations by helping detect, investigate, contain, and document cyber incidents. The position operates within an environment that uses USIEM analytics, EDR, IDS/IPS, SOAR, Zeek metadata, Sysmon-informed MITRE ATT&CK analysis, and eMASS-supported continuous monitoring, while coordinating with organizations such as the NETCOM Global Cyber Center and DISA DCDC to maintain enterprise cyber freedom of action.

Please Note: This position is contingent upon contract award.

Responsibilities

• Conduct cyber incident response investigations through evidence collection, forensic acquisition, and analysis of host and network artifacts in support of ARNG defensive cyberspace operations.
• Perform malware triage and root-cause analysis to determine incident scope, identify affected systems, and support containment and recovery actions.
• Document investigative actions, technical findings, and incident outcomes in incident tracking and case management systems to support reporting, governance, and after-action requirements.
• Support recovery validation by verifying remediation actions, confirming restoration status, and helping ensure incidents are fully resolved before closure.
• Coordinate incident handling activities with SOC Tier 2 personnel, CIRT, watch officers, problem and change processes, and other cybersecurity operations stakeholders as required.
• Leverage security data and enterprise monitoring outputs from environments such as USIEM, EDR, IDS/IPS, and related analytics to support investigation, correlation, and incident determination.
• Apply MITRE ATT&CK-informed analysis and available telemetry such as Sysmon and Zeek metadata to help identify adversary tactics, techniques, and procedures and improve incident understanding.
• Support coordination and reporting associated with incidents affecting ARNG classified and unclassified enclaves, including environments tied to SIPRNet operations and broader DoDIN-A(NG) mission support.
• Assist with post-incident reporting and lessons learned documentation to strengthen continuous monitoring, improve defensive measures, and inform follow-on cyber defense activities.
• Coordinate, as needed, with external mission partners and cyber organizations identified in ENOCS operations, including the NETCOM Global Cyber Center and DISA DCDC, in accordance with incident handling procedures.

Required Qualifications

U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 531-Cyber Defense Incident Responder — Intermediate proficiency; must hold ONE OR MORE of the following: CEH(P), ECIH, GRID, RCCE Level 1, CBROPS, CCSP, CEH, Cloud+, FITSP-O, GCED, GCIH, GSEC, PenTest+, Security+

Experience: 7+ years of experience in cybersecurity

Education: Bachelors degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Demonstrated experience performing evidence collection, forensic acquisition, and analysis of host and network artifacts during cyber incident investigations.
• Experience supporting malware triage, technical root-cause analysis, containment actions, and recovery validation in operational cybersecurity environments.
• Ability to produce complete, accurate, and timely incident documentation, technical findings, and after-action reporting aligned to continuous monitoring and cybersecurity operations requirements.
• Experience working within enterprise cybersecurity operations supporting incident escalation, case management, and coordination across analysts, responders, engineers, and service owners.
• Familiarity with cybersecurity monitoring and analysis environments using technologies and data sources referenced in ENOCS operations, including USIEM, EDR, IDS/IPS, and related security telemetry.
• Experience supporting investigations and reporting in environments governed by DoD and ARNG cybersecurity policy, including classified and unclassified operational contexts.
• Ability to analyze security events and artifacts to determine incident scope, affected assets, and recommended response actions across large enterprise environments.
• Experience contributing to lessons learned, remediation follow-up, and continuous improvement activities after cyber incident response actions.