Principal Incident Response Investigator

Job Description

At WithSecure™, we protect businesses all over the world. Our SaaS solutions safeguard against modern cyber threats, and our innovative Co-security approach reflects our belief that true protection requires collaboration and shared expertise. No one can solve every cyber security problem alone. Our vision is to become Europe’s flagship in cyber security. Every day, our talented teams work to prevent cyber extortion, secure critical infrastructure, and prevent misuse of sensitive data. At WithSecure, it’s our people who make us exceptional – a diverse community that values passion, purpose, and a commitment to workplace well-being. If you’re ready to make an impact with a company that’s transforming cybersecurity, we’d love to hear from you.

As a Principal Incident Response Investigator, you will be at the forefront of our IR practice, leading complex, high-profile cyber incident engagements for clients across government, critical national infrastructure, and the private sector.

This senior role requires exceptional technical expertise, the ability to manage incidents under pressure, and strong communication skills to brief both executives and technical stakeholders. Due to the sensitive nature of much of our work, DV clearance (or the ability to attain it) is essential, and ChCSP – Incident Response certification (or the ability to attain) is highly desirable.

You will serve as a trusted advisor to our clients, guiding them through critical incidents and helping them strengthen their resilience. Internally, you will drive capability development, mentor investigators, and contribute thought leadership to the wider security community.

Key Responsibilities

· Client-Facing Investigations: Lead end-to-end incident response engagements, from triage and containment to forensic analysis and recovery.

· Incident Leadership: Act as incident commander/advisor for major client breaches, co-ordinating efforts across client stakeholders, third parties, and law enforcement.

· Forensic Expertise: Conduct advanced forensic investigations across endpoints, servers, networks, cloud platforms, and SaaS environments.

· Threat Attribution: Analyse adversary behaviour and integrate threat intelligence to inform attribution, client reporting, and proactive defences.

· Executive Engagement: Deliver concise, risk-focused briefings to client executives, boards, and regulators during and after incidents.

· Advisory Role: Provide clients with guidance on incident readiness, detection engineering, and response capability improvements.

· Playbook & Tooling Development: Evolve methodologies, tools, and processes to ensure delivery excellence and repeatability.

· Mentorship & Leadership: Coach and mentor junior investigators and consultants, developing the next generation of responders.

· Knowledge Sharing: Contribute to white papers, conference talks, and internal knowledge repositories to advance our consultancy’s reputation and capabilities

What are we looking for?

• DV clearance, or the ability to attain DV clearance, is essential.
• Experience in incident response, digital forensics, or threat hunting, with significant consultancy or client-facing exposure.
• Demonstrable experience leading large-scale or high-profile investigations, including ransomware, insider threats, and targeted intrusions.
• Expertise in forensic acquisition and analysis across Windows, Linux, macOS, and cloud environments.
• Deep understanding of attacker tactics, techniques, and procedures (TTPs), and frameworks such as MITRE ATT&CK.
• Hands-on skills with SIEMs, EDRs, and forensics tools.
• Scripting capability (Python, PowerShell, Bash) for investigation acceleration and automation.
• Excellent communication skills, with the ability to build client trust and explain technical findings to non-technical audiences.

Preferred Qualifications/Experience

• ChCSP – Incident Response certification, or the ability to attain, is highly desirable.
• Certifications such as GIAC (GCFA, GEIR, GCFE, GREM, GNFA), CREST CRTIR, CISM, or CISSP.
• Consulting experience across multiple sectors (e.g., government, financial services, healthcare, critical national infrastructure).
• Knowledge of malware reverse engineering and adversary tradecraft.
• Experience liaising with regulators, insurers, and legal counsel during incident engagements.
• Contribution to the wider security community (research, publications, speaking engagements)
• Familiarity with regulatory and legal considerations relevant to incident response

What will you get from us

· Competitive remuneration (plus overtime and on-call allowances)

· Research time

· Fully funded certifications

· The opportunity to lead investigations into some of the most significant cyber incidents globally.

· Client variety, work across technologies, sectors and industries, tackling diverse and challenging cases.