Staff Incident Response Analyst

About AlphaSense: 

The world’s most sophisticated companies rely on AlphaSense to remove uncertainty from decision-making. With market intelligence and search built on proven AI, AlphaSense delivers insights that matter from content you can trust. Our universe of public and private content includes equity research, company filings, event transcripts, expert calls, news, trade journals, and clients’ own research content.

The acquisition of Tegus by AlphaSense in 2024 advances our shared mission to empower professionals to make smarter decisions through AI-driven market intelligence. Together, AlphaSense and Tegus will accelerate growth, innovation, and content expansion, with complementary product and content capabilities that enable users to unearth even more comprehensive insights from thousands of content sets. Our platform is trusted by over 6,000 enterprise customers, including a majority of the S&P 500. Founded in 2011, AlphaSense is headquartered in New York City with more than 2,000 employees across the globe and offices in the U.S., U.K., Finland, India, Singapore, Canada, and Ireland. Come join us!

About the Role:

We are hiring a Staff Incident Response Analyst to serve as the technical escalation point for our L2 SOC analysts and 24/7 managed detection and response (MDR) partner. When a case exceeds what an L2 can handle — complex forensics, multi-system intrusions, ambiguous attacker behavior, or high-stakes containment decisions — it lands with you. You are the last line of technical defense before the Security Operations Manager is pulled in.

This is a deeply hands-on role. You will spend the majority of your time in tooling: hunting through the SIEM, pulling host artifacts via EDR remote access, tracing IAM chains in cloud audit logs, and reconstructing attacker timelines from raw evidence. You are expected to know what you are looking at without being told, and to be faster and more thorough than the analysts escalating to you.

 

Core Responsibilities:

Escalation Handling & Incident Leadership

• Receive and own L2 escalations across all severity levels; take over technical lead role on Sev2+
• Scope incidents accurately and quickly: determine blast radius, affected assets, and attacker objectives from available telemetry
• Make and document containment decisions — endpoint isolation, account suspension, token revocation, network block — with clear rationale
• Maintain a forensically sound incident timeline: ordered evidence, source attribution, and chain-of-custody throughout
• Communicate incident status to the Security Operations Manager with enough fidelity to brief upward without needing to re-investigate
• Drive incidents to documented closure: root cause, attacker path, affected assets, and defensive gaps identified

Host & Endpoint Forensics

• Perform deep-dive endpoint triage via EDR: process tree analysis, remote artifact collection, behavioral event review, and custom detection rule evaluation
• Reconstruct attacker activity from Windows forensic artifacts: Prefetch, Shimcache, Amcache, MFT, $USNJrnl, event logs (4624, 4688, 4698, 7045), and registry hives
• Analyze Linux host artifacts: bash history, cron jobs, /tmp and /var/log contents, SUID binaries, and persistence mechanisms
• Perform memory forensics when warranted: process injection, credential extraction artifacts, and in-memory malware indicators
• Extract and analyze malware samples statically and dynamically: PE header review, strings, YARA matching, and sandbox detonation interpretation

Cloud Incident Response — AWS & GCP

• Lead AWS-based IR: CloudTrail forensics, IAM chain reconstruction, EC2 isolation, S3 access pattern analysis, Lambda execution review
• Identify and respond to IMDS credential abuse, assumed-role lateral movement, and cross-account privilege escalation
• Investigate container and serverless incidents: ECS task behavior, Lambda invocation logs, and abnormal API call sequences
• Correlate VPC Flow Logs, native threat detection findings, and S3 access logs against SIEM events to build a complete cloud-side timeline
• Handle GCP incidents using Cloud Audit Logs, Cloud Logging, and IAM policy review in a multi-cloud context
• Use cloud security posture management (CSPM) findings and runtime data as investigative context during active incidents

Identity & SaaS Forensics

• Investigate identity provider incidents: admin audit log review, session anomaly analysis, suspicious app assignments, MFA bypass patterns, and provisioning events
• Perform customer identity and access management (CIAM) forensics: authentication log analysis, abnormal grant flows, token misuse, and tenant-level anomaly investigation
• Reconstruct identity-based attack chains across the IdP, cloud IAM, and application layers — from initial credential compromise through lateral movement
• Identify and respond to OAuth abuse, token theft, session hijacking, and federated identity attacks

Threat Hunting & Detection Contribution

• Conduct structured threat hunts in the SIEM using detection rule logic, event correlation queries, and multi-source pivoting
• Hunt for attacker behavior that existing detections miss: living-off-the-land techniques, LOLBins, slow-and-low persistence, and C2 beaconing patterns
• Translate hunt findings and post-incident learnings into specific detection recommendations or rule drafts for the Security Operations Manager
• Contribute to ATT&CK coverage visibility by flagging technique gaps surfaced during investigations or hunts

L2 Escalation Support & Quality

• Take escalation handoffs from L2 analysts and the MDR partner; provide technical direction when an analyst is stuck, not just take the case
• Review escalation packages for completeness and accuracy — push back when context is insufficient and coach on what’s missing
• Identify recurring escalation patterns and flag them to the Security Operations Manager as potential L2 training gaps or detection tuning needs
• Document investigation methodology on closed cases in enough detail that an L2 analyst can learn from the approach

 

Required Qualifications:

• 6+ years of hands-on incident response experience, with at least 3 years performing technical IR at a senior or staff level
• Expert-level EDR proficiency (e.g., CrowdStrike Falcon, SentinelOne, or equivalent): remote triage, process tree analysis, behavioral detections, and custom detection rule authorship
• Deep AWS IR capability: CloudTrail forensics, IAM chain analysis, EC2 and Lambda investigation, and IMDS/assumed-role abuse patterns
• Strong Windows forensics: ability to reconstruct attacker activity from Prefetch, MFT, Shimcache, event logs, and registry artifacts without tooling assistance
• Solid Linux forensics: persistence mechanisms, cron, SUID analysis, process anomalies, and log artifact interpretation
• Hands-on SIEM investigation and detection experience (e.g., Google SecOps/Chronicle, Splunk, Microsoft Sentinel): writing detection logic, pivoting on normalized events, and multi-event correlation
• Identity incident response experience in an enterprise IdP (e.g., Okta, Entra ID): audit log forensics, session analysis, app-layer anomalies, and admin abuse patterns
• Demonstrated ability to scope and lead Sev1 incidents autonomously, including containment decisions and cross-functional coordination
• Strong technical writing: you produce investigation timelines, evidence summaries, and escalation handoffs that are accurate, concise, and unambiguous
• MITRE ATT&CK fluency: you use it to communicate attacker behavior, not just as a reference

 

Preferred Qualifications:

• Memory forensics experience using Volatility or equivalent: process injection, credential material in memory, and rootkit indicators
• Malware analysis capability: static analysis (PE headers, strings, imports), dynamic sandbox review, and YARA rule authorship
• GCP IR experience using Cloud Audit Logs, VPC Flow Logs, and IAM policy analysis in a live incident context
• CIAM forensics experience (e.g., Auth0, Cognito): authentication logs, abnormal grant flows, and token misuse investigation
• Experience receiving and evaluating escalations from an MSSP/MDR, including identifying under-triaged or misrouted tickets
• Familiarity with CSPM tooling (e.g., Wiz, Prisma Cloud, Orca) as an investigative data source during cloud incidents
• DFIR certifications: GCFE, GCFA, GCFR, GREM, GCIH, or equivalent practical forensics credentials
• Prior experience in a SaaS company, financial services, or other regulated environment handling sensitive customer data

AlphaSense is an equal-opportunity employer. We are committed to a work environment that supports, inspires, and respects all individuals. All employees share in the responsibility for fulfilling AlphaSense’s commitment to equal employment opportunity. AlphaSense does not discriminate against any employee or applicant on the basis of race, color, sex (including pregnancy), national origin, age, religion, marital status, sexual orientation, gender identity, gender expression, military or veteran status, disability, or any other non-merit factor. This policy applies to every aspect of employment at AlphaSense, including recruitment, hiring, training, advancement, and termination.

In addition, it is the policy of AlphaSense to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations, and ordinances where a particular employee works.

Recruiting Scams and Fraud

We at AlphaSense have been made aware of fraudulent job postings and individuals impersonating AlphaSense recruiters. These scams may involve fake job offers, requests for sensitive personal information, or demands for payment. Please note:

• AlphaSense never asks candidates to pay for job applications, equipment, or training.
• All official communications will come from an @alpha-sense.com email address.
• If you’re unsure about a job posting or recruiter, verify it on our Careers page.

If you believe you’ve been targeted by a scam or have any doubts regarding the authenticity of any job listing purportedly from or on behalf of AlphaSense please contact us. Your security and trust matter to us.