Lead Consultant - Incident Response (CPX)

As a Lead Incident Response – OT Cyber Security, you bring deep expertise in industrial control systems and a strong foundation in enterprise security to lead complex incident response engagements across OT and IT environments.

The role involves conducting threat hunting (across IT and OT), forensic investigations (across IT and OT), and industrial protocol analysis to support safe and effective incident containment and recovery, particularly within critical operational environments.

In addition, the role includes delivering technical reports and executive briefings, contributing to incident response playbooks, and supporting the continuous improvement of OT cybersecurity services.

Act as the technical lead for IT and OT/ICS incident response engagements and support customers across industrial sectors (energy, utilities, manufacturing, oil & gas, transport).

Independently execute assigned tasks following an initial onboarding period, demonstrating accountability and technical ownership.

Conduct proactive threat hunting across IT and OT/ICS environments, including SCADA servers, historians, HMIs, and engineering workstations.

Perform host-based and network-based forensic investigations across OT and IT environments (Windows HMIs/EWS, Linux-based SCADA systems, enterprise endpoints).

Analyze industrial network traffic and protocols (e.g., Modbus, DNP3, EtherNet/IP, OPC-UA/DA, PROFINET, IEC 61850) to determine attack scope and root cause.

Lead and support digital forensic investigations (IT and OT), including evidence acquisition, artifact analysis, and timeline reconstruction for IT and OT environments.

Assess IT/OT segmentation, Purdue Model alignment, and DMZ configurations during incident scoping and post-incident reviews.

Coordinate with operations, engineering, and safety teams to implement containment and recovery actions without impacting critical physical processes.

Provide expert guidance on OT security hardening, ICS architecture improvements, and defensive control enhancements.

Contribute to OT incident response playbooks, procedures, and documentation, driving continuous service improvement.

Produce detailed technical reports and executive briefings, effectively communicating findings to both technical and non-technical stakeholders.

Demonstrate thought leadership through knowledge sharing, blog publication, and participation in industry forums.

Support on-call incident response activities, including cross-time-zone engagements.

Mentor junior team members and contribute to a collaborative, high-performance team culture.

Strong understanding of OT/ICS architectures and the Purdue Reference Model (Levels 0–4).

Strong understand of IT incident response life cycle.

Hands-on experience with industrial platforms, including PLCs (Siemens, Allen-Bradley, Schneider), HMIs, DCS, RTUs, and SCADA systems.

Deep knowledge of industrial communication protocols, including Modbus TCP/RTU, DNP3, IEC 61850/60870, EtherNet/IP, OPC-UA/DA, PROFINET, and BACnet.

Familiarity with Safety Instrumented Systems (SIS) and safety constraints during incident response operations.

Understanding of OT asset lifecycle challenges, including patching limitations, legacy systems, and operational constraints.

Strong working knowledge of the MITRE ATT&CK for ICS framework.

Solid understanding of enterprise networking concepts, TCP/IP, and network architectures.

Proficiency in host-based forensics across Windows and Linux systems.

Working knowledge of Active Directory, authentication systems, and Windows event logging.

with network analysis tools (e.g., Wireshark, Zeek, Suricata, RITA).

Ability to perform log analysis across SIEM platforms and OT security monitoring solutions (e.g., Claroty, Dragos, Nozomi, Tenable OT).

Basic understanding of malware analysis techniques, including both static and dynamic approaches, with exposure to OT-targeted malware.

Strong organizational and prioritization skills, with the ability to work independently in high-pressure environments.

Excellent technical report writing and communication skills, delivering both detailed analysis and executive-level summaries.

GIAC Global Industrial Cyber Security Professional (GICSP) — primary OT certification requirement

GIAC Response and Industrial Defense (GRID) — highly desirable

CREST Registered Intrusion Analyst (CRIA) or equivalent — desirable

GIAC Certified in a minimum of one IT discipline: GCIH, GCFE, GCFA, GNFA, GCIA, GDAT, or equivalent

Any other certification with proven relevance to incident response and OT cybersecurity

Bachelor’s degree in computer science or engineering is desirable but not mandatory