Staff Incident Response Analyst

AlphaSenseITIndianapolis, IN, USA RemotePosted on May 22, 2026Apply nowAbout AlphaSenseThe world’s most sophisticated companies rely on AlphaSense to remove uncertainty from decision-making. With market intelligence and search built on proven AI, AlphaSense delivers insights that matter from content you can trust. Our universe of public and private content includes equity research, company filings, event transcripts, expert calls, news, trade journals, and clients’ own research content.The acquisition of Tegus by AlphaSense in 2024 advances our shared mission to empower professionals to make smarter decisions through AI-driven market intelligence. Together, AlphaSense and Tegus will accelerate growth, innovation, and content expansion, with complementary product and content capabilities that enable users to unearth even more comprehensive insights from thousands of content sets. Our platform is trusted by over 6,000 enterprise customers, including a majority of the S&P 500. Founded in 2011, AlphaSense is headquartered in New York City with more than 2,000 employees across the globe and offices in the U.S., U.K., Finland, India, Singapore, Canada, and Ireland. Come join us!About The RoleWe are hiring a Staff Incident Response Analyst to serve as the technical escalation point for our L2 SOC analysts and 24/7 managed detection and response (MDR) partner. When a case exceeds what an L2 can handle — complex forensics, multi-system intrusions, ambiguous attacker behavior, or high-stakes containment decisions — it lands with you. You are the last line of technical defense before the Security Operations Manager is pulled in.This is a deeply hands-on role. You will spend the majority of your time in tooling: hunting through the SIEM, pulling host artifacts via EDR remote access, tracing IAM chains in cloud audit logs, and reconstructing attacker timelines from raw evidence. You are expected to know what you are looking at without being told, and to be faster and more thorough than the analysts escalating to you.Core ResponsibilitiesEscalation Handling & Incident LeadershipReceive and own L2 escalations across all severity levels; take over technical lead role on Sev2+Scope incidents accurately and quickly: determine blast radius, affected assets, and attacker objectives from available telemetryMake and document containment decisions — endpoint isolation, account suspension, token revocation, network block — with clear rationaleMaintain a forensically sound incident timeline: ordered evidence, source attribution, and chain-of-custody throughoutCommunicate incident status to the Security Operations Manager with enough fidelity to brief upward without needing to re-investigateDrive incidents to documented closure: root cause, attacker path, affected assets, and defensive gaps identifiedHost & Endpoint ForensicsPerform deep-dive endpoint triage via EDR: process tree analysis, remote artifact collection, behavioral event review, and custom detection rule evaluationReconstruct attacker activity from Windows forensic artifacts: Prefetch, Shimcache, Amcache, MFT, $USNJrnl, event logs (4624, 4688, 4698, 7045), and registry hivesAnalyze Linux host artifacts: bash history, cron jobs, /tmp and /var/log contents, SUID binaries, and persistence mechanismsPerform memory forensics when warranted: process injection, credential extraction artifacts, and in-memory malware indicatorsExtract and analyze malware samples statically and dynamically: PE header review, strings, YARA matching, and sandbox detonation interpretationCloud Incident Response — AWS & GCPLead AWS-based IR: CloudTrail forensics, IAM chain reconstruction, EC2 isolation, S3 access pattern analysis, Lambda execution reviewIdentify and respond to IMDS credential abuse, assumed-role lateral movement, and cross-account privilege escalationInvestigate container and serverless incidents: ECS task behavior, Lambda invocation logs, and abnormal API call sequencesCorrelate VPC Flow Logs, native threat detection findings, and S3 access logs against SIEM events to build a complete cloud-side timelineHandle GCP incidents using Cloud Audit Logs, Cloud Logging, and IAM policy review in a multi-cloud contextUse cloud security posture management (CSPM) findings and runtime data as investigative context during active incidentsIdentity & SaaS ForensicsInvestigate identity provider incidents: admin audit log review, session anomaly analysis, suspicious app assignments, MFA bypass patterns, and provisioning eventsPerform customer identity and access management (CIAM) forensics: authentication log analysis, abnormal grant flows, token misuse, and tenant-level anomaly investigationReconstruct identity-based attack chains across the IdP, cloud IAM, and application layers — from initial credential compromise through lateral movementIdentify and respond to OAuth abuse, token theft, session hijacking, and federated identity attacksThreat Hunting & Detection ContributionConduct structured threat hunts in the SIEM using detection rule logic, event correlation queries, and multi-source pivotingHunt for attacker behavior that existing detections miss: living-off-the-land techniques, LOLBins, slow-and-low persistence, and C2 beaconing patternsTranslate hunt findings and post-incident learnings into specific detection recommendations or rule drafts for the Security Operations ManagerContribute to ATT&CK coverage visibility by flagging technique gaps surfaced during investigations or huntsL2 Escalation Support & QualityTake escalation handoffs from L2 analysts and the MDR partner; provide technical direction when an analyst is stuck, not just take the caseReview escalation packages for completeness and accuracy — push back when context is insufficient and coach on what’s missingIdentify recurring escalation patterns and flag them to the Security Operations Manager as potential L2 training gaps or detection tuning needsDocument investigation methodology on closed cases in enough detail that an L2 analyst can learn from the approachRequired Qualifications6+ years of hands-on incident response experience, with at least 3 years performing technical IR at a senior or staff levelExpert-level EDR proficiency (e.g., CrowdStrike Falcon, SentinelOne, or equivalent): remote triage, process tree analysis, behavioral detections, and custom detection rule authorshipDeep AWS IR capability: CloudTrail forensics, IAM chain analysis, EC2 and Lambda investigation, and IMDS/assumed-role abuse patternsStrong Windows forensics: ability to reconstruct attacker activity from Prefetch, MFT, Shimcache, event logs, and registry artifacts without tooling assistanceSolid Linux forensics: persistence mechanisms, cron, SUID analysis, process anomalies, and log artifact interpretationHands-on SIEM investigation and detection experience (e.g., Google SecOps/Chronicle, Splunk, Microsoft Sentinel): writing detection logic, pivoting on normalized events, and multi-event correlationIdentity incident response experience in an enterprise IdP (e.g., Okta, Entra ID): audit log forensics, session analysis, app-layer anomalies, and admin abuse patternsDemonstrated ability to scope and lead Sev1 incidents autonomously, including containment decisions and cross-functional coordinationStrong technical writing: you produce investigation timelines, evidence summaries, and escalation handoffs that are accurate, concise, and unambiguousMITRE ATT&CK fluency: you use it to communicate attacker behavior, not just as a referencePreferred QualificationsMemory forensics experience using Volatility or equivalent: process injection, credential material in memory, and rootkit indicatorsMalware analysis capability: static analysis (PE headers, strings, imports), dynamic sandbox review, and YARA rule authorshipGCP IR experience using Cloud Audit Logs, VPC Flow Logs, and IAM policy analysis in a live incident contextCIAM forensics experience (e.g., Auth0, Cognito): authentication logs, abnormal grant flows, and token misuse investigationExperience receiving and evaluating escalations from an MSSP/MDR, including identifying under-triaged or misrouted ticketsFamiliarity with CSPM tooling (e.g., Wiz, Prisma Cloud, Orca) as an investigative data source during cloud incidentsDFIR certifications: GCFE, GCFA, GCFR, GREM, GCIH, or equivalent practical forensics credentialsPrior experience in a SaaS company, financial services, or other regulated environment handling sensitive customer dataAlphaSense is an equal-opportunity employer. We are committed to a work environment that supports, inspires, and respects all individuals. All employees share in the responsibility for fulfilling AlphaSense’s commitment to equal employment opportunity. AlphaSense does not discriminate against any employee or applicant on the basis of race, color, sex (including pregnancy), national origin, age, religion, marital status, sexual orientation, gender identity, gender expression, military or veteran status, disability, or any other non-merit factor. This policy applies to every aspect of employment at AlphaSense, including recruitment, hiring, training, advancement, and termination.In addition, it is the policy of AlphaSense to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations, and ordinances where a particular employee works.Recruiting Scams and FraudWe At AlphaSense Have Been Made Aware Of Fraudulent Job Postings And Individuals Impersonating AlphaSense Recruiters. These Scams May Involve Fake Job Offers, Requests For Sensitive Personal Information, Or Demands For Payment. Please NoteAlphaSense never asks candidates to pay for job applications, equipment, or training.All official communications will come from an @alpha-sense.com email address.If you’re unsure about a job posting or recruiter, verify it on our Careers page.If you believe you’ve been targeted by a scam or have any doubts regarding the authenticity of any job listing purportedly from or on behalf of AlphaSense please contact us. Your security and trust matter to us.Apply nowSee more open positions at AlphaSense