SOC CIRT Team Lead - SME

Position Summary

ECS is seeking a SOC CIRT Team Lead - SME to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. This position supports Task 3 — Cybersecurity Operations Support — by leading cyber incident response activities across the ARNG enterprise and directing investigation, containment, eradication, recovery, reporting, and post-incident analysis. The SOC CIRT Team Lead serves as a senior response lead within ENOCS’ broader cybersecurity operations construct, coordinating with SOC monitoring and analysis personnel, forensic and malware analysts, engineers, and compliance/RMF teams to strengthen Defensive Cyberspace Operations – Internal Defensive Measures (DCO-IDM) outcomes across the DoDIN-Army-NG area of responsibility.

This role directly supports a mission environment delivering DoDIN services to more than 120,000 users and approximately 141,000 endpoints across roughly 2,800 sites in 54 states and territories, including support to Title 10 and Title 32 missions, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The SOC CIRT Team Lead operates within a technical environment that includes 24x7x365 SOC operations, Unified Security Information & Event Management (USIEM) analytics, EDR, SOAR, IDS/IPS event integration, DLP/C2C analytics, and coordination with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, RCCs, and other mission stakeholders to ensure timely incident response and continuous improvement of ARNG cyber defenses.

 

Please Note: This position is contingent upon contract award.

Responsibilities

• Lead cyber incident response activities by directing investigation, containment, eradication, and recovery actions for security events affecting ARNG classified and unclassified network environments.
• Coordinate Cyber Incident Response Team activities with SOC monitoring and analysis functions to ensure incidents are properly triaged, escalated, documented, and resolved in accordance with ARNG and DoD cybersecurity policy.
• Manage forensic and malware analysis efforts to determine incident scope, identify adversary tactics, techniques, and procedures, and support effective remediation and recovery actions.
• Oversee incident communications and escalation, ensuring timely coordination with internal stakeholders and external organizations as required by severity, mission impact, and reporting criteria.
• Produce incident reports, after-action reviews, and lessons-learned artifacts that improve detection engineering, response procedures, and continuous monitoring across the ENOCS cyber operations mission set.
• Coordinate with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCC stakeholders, as applicable, to support incident analysis, notification, and remediation activities across the DoDIN-Army-NG AOR.
• Leverage operational data from USIEM, EDR, IDS/IPS, and related analytics sources to support incident scoping, response decision-making, and post-incident defensive improvements.
• Ensure required documentation and reporting are completed in support of Task 3 deliverables for cyber incident response and digital media analysis, while maintaining alignment with continuous monitoring and RMF-related evidence needs.
• Support the refinement of response playbooks, escalation procedures, and threat-informed defensive processes to improve the speed and quality of ARNG incident response operations.