Lead Incident Responder (L3) - Managed Detection and Response

About the Role

We are seeking an experienced Lead Incident Responder (L3) to act as the technical authority within our Managed Detection and Response (MDR) practice. This is a senior, hands-on role designed for an accomplished incident response professional who thrives in high-pressure environments, leads complex investigations, and partners directly with client executives during critical security events.

While this is a remote role, you will never be working completely alone. You will be supported by a global Incident Response and MDR team of 30+ security professionals across six SOCs worldwide. Collaboration, escalation support, and knowledge sharing are core to how we operate.

As a technical and strategic leader, you will not only respond to incidents but proactively shape detection capabilities, drive improvements in client security posture, and contribute to the evolution of our MSSP services.

This is a remote role, with a strong preference for candidates based in or aligned to the US Central Time Zone, there is travel to US customer sites and a yearly trip to Pune - India.

About SHQ

SecurityHQ is a global cybersecurity company. Our specialist teams design, engineer and manage solutions that do three things: Promote clarity and trust in a complex world. Build momentum around improving security posture. And increase the value of cybersecurity investment within organizations. Free from limitations, and inclusive of all requirements, we focus on defending today, while mitigating the risks of tomorrow. And into the future. Our solutions are tailored to our customers and their unique context. Around the clock, 365 days per year, our customers are never alone. SecurityHQ – We’re focused on engineering cybersecurity, by design.

What You’ll Be Doing

Crisis Management & Technical Leadership

• Act as the final escalation point and technical authority for high-severity security incidents
• Lead and coordinate incident bridges and war rooms during active breaches
• Drive long-term improvements in incident response playbooks, workflows, and tooling
• Engage directly with CISOs, CTOs, and senior client stakeholders, delivering clear, risk-based guidance and remediation strategies
• Champion a “front-foot” incident response mindset, ensuring rapid activation and decisive action during critical events

Advanced Threat Operations

• Conduct hypothesis-driven threat hunting across diverse client environments
• Perform deep Digital Forensics & Incident Response (DFIR) investigations and produce high-quality technical reports
• Participate in Red Team and Purple Team exercises, identifying gaps in detection and response
• Conduct gap analysis to strengthen detection logic and SOC effectiveness

Client Success & Strategic Advisory

• Take ownership of client security posture improvement, ensuring measurable progress over time
• Identify environmental risks and deliver actionable, prioritised recommendations
• Ensure onboarding and environments align with NCSC guidelines, including correct log ingestion and visibility
• Act as a trusted advisor to clients throughout their security maturity journey

Innovation & Automation

• Drive detection engineering initiatives, creating and automating custom use cases
• Contribute to the evolution of our MSSP practice through new methodologies, workflows, and tooling
• Help shape the future of our MDR and Incident Response services

Consulting, Projects & Enablement

• Lead technical workshops and tabletop exercises (TTXs) for client teams
• Manage investigation deliverables, timelines, and stakeholder communications
• Maintain a high standard of client experience, clarity, and follow-through

Required Experience & Skills

• 5–7+ years in Cybersecurity, with at least 5 years in Incident Response or SOC operations
• Strong background in MSSP / MDR environments
• Expert knowledge of EDR/XDR, SIEM platforms (Sentinel, Datadog, QRadar, Splunk)
• Cloud security experience across AWS, Azure, or GCP
• Hands-on experience with network forensics and DFIR tooling (e.g. Velociraptor)
• Proven ability to lead incident war rooms and security incident bridges
• Exceptional communication skills — able to translate technical findings into executive-level risk language

Preferred Certifications

• GIAC certifications (GCIH, GCFA, GCFE, GREM)
• Cloud security certifications (AZ-500, AWS Certified Security)
• CISSP or CISM