DFIR Team Lead

ABOUT SEVN-X

SEVN-X is a US-based cybersecurity consulting firm specializing in Digital Forensics and Incident Response, penetration testing, compromise assessments, and managed security services. Our team is built around senior practitioners with deep, hands-on experience responding to complex incidents across enterprise environments. We work with clients in financial services, healthcare, energy, manufacturing, and other regulated industries. We do not outsource. Every engagement is staffed and executed by our own people, and we hold ourselves to a standard of work that holds up in a boardroom, a courtroom, and a post-incident review.

ROLE SUMMARY

SEVN-X is looking for a DFIR Team Lead to own the day-to-day execution of our incident response and digital forensics practice. This is a senior technical leadership role, not a management role that has moved away from the work. The right candidate is still doing hands-on forensics and IR on complex engagements while also building the team, shaping how we work, and ensuring our clients get consistent, high-quality outcomes regardless of which analyst is on the case. You will be the person our analysts come to when an investigation gets complicated, and the person our clients trust to tell them what actually happened and what to do about it.

RESPONSIBILITIES

• • Lead and manage the DFIR team including hiring, onboarding, performance development, and day-to-day oversight of analysts and junior examiners
  • Serve as the senior technical resource and escalation point for complex or high-stakes investigations including ransomware, nation-state activity, insider threat, and litigation-related matters
  • Personally lead or co-lead forensic investigations and incident response engagements from initial triage through root cause determination and final report delivery
  • Own the quality of all DFIR deliverables leaving the firm, including investigation reports, executive summaries, and legal declarations
  • Develop and maintain SEVN-X DFIR methodologies, playbooks, and standard operating procedures to ensure consistency and defensibility across engagements
  • Manage multiple concurrent engagements, assign analyst resources appropriately, and maintain visibility into workload and timeline across the practice
  • Serve as the primary client-facing lead on DFIR engagements, including executive briefings, status communications, and sensitive finding discussions
  • Support and participate in compromise assessment engagements including tooling deployment, threat hunting, and findings development
  • Contribute to business development efforts including scoping, proposal development, and client relationship management
  • Drive internal capability development through training, tooling evaluation, research, and knowledge sharing
  • Maintain expert-level familiarity with the current threat landscape, attacker TTPs, and emerging forensic techniques
  •  
  Represent SEVN-X in legal and regulatory proceedings as a qualified forensic examiner when required 

REQUIRED QUALIFICATIONS

• 7 to 12 years of hands-on experience in digital forensics, incident response, or a directly related function, with at least 3 years in a consulting or professional services environment
• Demonstrated experience leading or managing a DFIR team or function, including mentoring junior analysts and owning engagement quality
• GIAC Certified Forensic Analyst (GCFA) required; additional GIAC certifications strongly preferred
• Expert-level proficiency with the following tooling
  • Magnet AXIOM for computer and mobile forensic acquisition and analysis
  • X-Ways Forensics for disk-level forensic examination, artifact analysis, and evidence processing
  • CrowdStrike Falcon for EDR-based threat hunting, detection analysis, and incident scoping
  • SentinelOne for endpoint detection, response, and forensic data collection
  • THOR and THOR Lite for compromise assessment and IOC-based scanning across enterprise environments
  • CyberTriage for rapid triage and automated incident scoping
  • Open source tooling including Hayabusa, Chainsaw, and similar Windows event log and threat hunting utilities
  • DFIR case management platforms such as DFIR-IRIS or equivalent
• Deep expertise in Windows forensic artifact analysis including MFT, registry hives, event logs, LNK files, prefetch, shellbags, SRUM, and memory forensics
• Proven experience conducting IR investigations in Active Directory, Microsoft 365, and hybrid cloud environments
• Experience with cloud forensics in AWS, Azure, or Microsoft 365 including log analysis, identity review, and cloud-native artifact collection
• Strong working knowledge of MITRE ATT&CK, attacker TTPs, and the ability to map investigation findings to framework techniques
• Demonstrated ability to produce litigation-quality forensic reports, executive briefings, and declarations under penalty of perjury
• Experience supporting legal matters including civil litigation, regulatory investigations, insurance claims, and law enforcement coordination
• Exceptional written and verbal communication skills with the ability to present complex technical findings clearly to executive, legal, and non-technical audiences

PREFERRED QUALIFICATIONS

• GIAC certifications beyond GCFA such as GCFE, GCTI, GREM, GCIA, or GDAT
• CISSP, EnCE, or other recognized security or forensics credentials
• Experience testifying as an expert witness in civil or criminal proceedings
• Familiarity with Velociraptor or similar enterprise-scale DFIR collection and hunting frameworks
• Scripting and automation experience in Python or PowerShell applied to forensic workflows, tooling integration, or report generation
• Experience with network forensics including full packet capture analysis, NetFlow review, and network-based intrusion investigation
• Familiarity with log aggregation and SIEM platforms such as Elastic, Splunk, or Microsoft Sentinel
• Experience scoping and pricing incident response and forensic engagements in a consulting context
• Background in or exposure to malware analysis and reverse engineering
• Prior experience building or growing a DFIR practice from the ground up

LEADERSHIP EXPECTATIONS

This role carries real leadership responsibility. The DFIR Team Lead sets the tone for how investigations are conducted, how findings are communicated, and how the team grows. We expect the person in this seat to be available and present for their analysts, honest with clients even when the findings are uncomfortable, and committed to producing work that holds up under scrutiny. We are a small firm and this role has direct impact on our reputation and our results.

• Lead by example on technical rigor, documentation standards, and professional conduct
• Create an environment where analysts can develop their skills and take on increasing responsibility over time
• Be direct and transparent with clients, leadership, and the team
• Take ownership of outcomes, not just activities

WHAT WE OFFER

• Competitive base compensation commensurate with experience and seniority
• Leadership role with real autonomy and direct influence over how the practice operates
• Exposure to a wide and varied caseload spanning industries, incident types, and legal contexts
• A team of serious practitioners who take the work seriously
• Support for advanced certification pursuit and professional development
• A firm that does not outsource, does not cut corners, and stands behind its work

SEVN-X is an equal opportunity employer. All applicants must be authorized to work in the United States. This position may require occasional travel to client sites.