Cyber Incident Response Analyst – San Antonio


The Incident Response Analyst correlates information gathered to provide effective methods to protect AF systems.


*Determine probability of exploitation of systems by an adversary or malware.

*Ensure appropriate notification and action are taken to reduce and mitigate risk to all AF networks, domains, and enclaves.

*Upon identification of suspicious activity on AF networks, open network intrusion investigation(s) to validate the unauthorized activity and determine the type and extent of activity.

*Conduct network intrusion investigations on information security and cyber events and incidents.

*Conduct network intrusion investigation analysis utilizing a wide array of security tools.

*Conduct in-depth analysis of suspicious activity (log files, systems, network traffic, etc.) contained with the investigation to determine root cause and participate in lessons learned.

*Manage all investigation/incident cases on suspected and confirmed compromised AF systems and determine the method of intrusion and corrective actions to be taken to prevent, detect and/or respond similar future activities and incidents.

*Author incident reports for events/incidents.

*Support AF Office of Special Investigations (OSI) law enforcement and counter-intelligence agencies and activities if required.

*Support to AF network administrators on the installation and analysis of packet sniffers on their network topologies.

*Support planned and same-day Incident Response deployments.

*Provide OJT to other contractor employees, military, and/or civilian personnel, and ensure continuity folders/working aids are updated.

*Create and document metrics for reporting and analysis to improve weapon system processes and mission execution.

*Maintain currency on latest industry trends and provide operational reports/assessments for development of tactics, techniques, and procedures.

*Provide requested information to operational flight commander as it relates to the Incident Response processes and procedures.


Advanced knowledge of  Security Information and Event Management/Security Orchestration Automation and Response (SIEM/SOAR) visual analytics, search, and alerting, Intrusion Detection System/Intrusion Prevention System (IDS/IPS), network security monitoring (NSM), endpoint protection and detection, and log and event collection/aggregation/search/correlation software currently in use by Department of Defense and Federal Government Agencies; intermediate experience with static-dynamic digital forensic investigation and analysis technologies and network communication function standards in the Open Systems Interconnection (OSI) model such as data link layer, network layer, addressing, subnetting, protocols, ports, services, and applications associated with the Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Domain Name Service (DNS), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and the Hypertext Transfer Protocol (HTTP).


*Must meet IAT Level III certification (CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH, or CCSP)

*Required GIAC certifications:  GCFA or GCFE


*Must have active TS/SCI

*Must be available for shift work