Incident Response Analyst

About the Role

CrowdStrike is looking for a highly motivated, self-driven Incident Response Analyst to support the incident-response lifecycle—serving as the first line of defense within the CSIRT. In this role, you’ll triage incoming detections, enrich and investigate alerts, and take rapid action—live response, containment, or escalation—to keep adversaries at bay. You’ll work shoulder-to-shoulder with seasoned Incident Responders to drive continuous improvement across our world-class security team.

• Do you find yourself interested in putting your hands-on technical skills to the test in detecting, containing, and remediating incidents?

• Are you self-motivated and looking for an opportunity to rapidly accelerate your skills?

• Are you ready to dive into logs, endpoint telemetry, and more to uncover the scope and severity of an event?

• Do you enjoy working around like-minded security professionals in a world class team who you can both learn from and mentor on a daily basis?

• Are you looking for a role where the detections you fine-tune today will block tomorrow’s attacks?

• Do you enjoy collaborating with a diverse, high-performing team and explaining technical risk to stakeholders who depend on your insights?
   

What You’ll Do:

• Provide continuous coverage for SIEM/SOAR, EDR, network, cloud, and email-security consoles; rapidly validate alerts, enrich with context, suppress false positives, and act on confirmed threats.

• Gather evidence from logs, host telemetry, and threat-intel feeds to determine scope, severity, and business impact.

• Execute pre-approved playbook actions (host isolation, account disablement, phishing-email purge, firewall block, etc.) and confirm containment success.

• Escalate high-severity or complex incidents to senior analysts/IR leadership, providing concise incident summaries and proposed mitigation steps while staying engaged through resolution.

• Consistently meet or exceed response-time targets for critical and high-urgency tickets.

• Record investigative steps, evidence, and decisions in the ticketing system; deliver clear shift-handoff notes to support 24x7 operations.

• Identify noisy rules, false-positive trends, blind spots, or missing log sources; collaborate on custom detections and log-source onboarding to improve alert fidelity.

• Participate in the refinement of existing runbooks, draft new ones, and champion automation opportunities that reduce analyst toil.

What You’ll Need:

• 1–3 years of hands-on SOC experience performing alert triage, incident handling, and first-responder containment while working daily with SIEM/SOAR, EDR, IDS/IPS, firewalls/proxies, email-security tools, and deep log analysis.

• Practical knowledge of Windows, macOS, and Linux internals and logging (Event Logs, Sysmon, auditd, etc.).

• Solid grasp of TCP/IP, OSI layers, and common protocols (HTTP/S, DNS, SMTP); able to interpret packet captures and network logs.

• Proficiency with search/query languages (LQL, SPL, KQL, SQL etc.) to enrich alerts and investigate indicators, mapping findings to MITRE ATT&CK techniques.

• Demonstrated experience responding to hacktivist, cyber-crime, or APT activity—triage, containment, escalation, and thorough documentation.

• Capable of completing technical tasks independently, maintaining composure during incident response actions, and fostering a positive, collaborative work environment.

• Strong verbal and written communication, analytical problem-solving, time-management, and project-management skills; desire to grow and continuously improve both technical and soft skills.

Bonus Points:

• Experience in scripting languages such as in Python, PowerShell, Bash, Perl, etc.; experience contributing to SOAR playbooks.

• Experienced SIEM power user comfortable with conducting complex searches, creating dashboards, and providing alert tuning recommendations.

• Experience assisting senior responders with coordinated IR functions, root-cause analysis, and tactical/strategic remediation planning.

• Prior experience presenting technical findings and risk to non-technical stakeholders and executive leadership; project-management experience is a plus.

Education:

• A bachelor’s or master’s degree in Computer Science, Cybersecurity, or a related field is welcome —but not required. Candidates who can demonstrate equivalent, hands-on experience in security operations will receive full consideration.

• Applicable security certifications (e.g., GCIA, GCIH, GCFA, GNFA).

#LI-Remote

#LI-EV1

#LI-AL1