DFIR Program Lead

Centurion Consulting Group is looking for a DFIR Program Lead for one of our clients in Las Vegas, NV.

Location:Remote or Las Vegas, NV (preferred)
Department: Security Operations, DFIR
Type: Full-Time

Overview:

We are seeking an experienced and strategic DFIR Program Lead to build, own, and mature our Digital Forensics and Incident Response program. This role will serve as the cornerstone for incident response operations, driving continuous improvement across detection, response, automation, and cross-functional collaboration. If you're passionate about incident handling, automation, and building DFIR programs from the ground up, we want to hear from you.

Key Responsibilities:

1. Build and Own the DFIR Program Framework

• Develop and maintain a comprehensive DFIR roadmap aligned with business priorities and compliance needs.
• Author and manage key DFIR documentation including:
• Incident Response Plan (IRP)
• Evidence Handling SOPs
• Threat-specific playbooks (e.g., ransomware, BEC, insider threats, cloud compromise)
• Define incident severity classifications and escalation workflows to standardize response procedures.

1. Lead End-to-End Incident Response Operations

• Act as lead investigator for low to medium severity incidents across endpoints, cloud, SaaS, and infrastructure.
• Coordinate response activities across stakeholders (SOC, IT, Legal, HR).
• Liaise with external DFIR teams during high-severity events under an IR retainer agreement.

1. Mature Detection and Response Capabilities

• Collaborate with SOC and detection engineers to improve signal fidelity and reduce false positives.
• Identify and remediate visibility gaps in telemetry and log coverage.
• Work closely with Threat Intelligence to operationalize threat actor TTPs.

1. Design and Implement DFIR Automation & Tooling

• Build automation for tasks such as host triage, evidence capture, and log aggregation.
• Develop custom scripts and integrations for Windows/Linux, ticketing systems, and case management.

1. Post-Incident Reviews & Lessons Learned

• Lead After-Action Reviews (AARs) following security incidents.
• Document lessons learned and develop concrete improvement actions across teams.
• Track and report on remediation status (e.g., patching, access updates, control enhancements).

1. Define and Track DFIR Metrics

• Create key DFIR performance indicators (e.g., MTTR, detection accuracy, RCA rate).
• Maintain a DFIR dashboard for leadership visibility.
• Use metrics to support resource planning and budget justification.

Qualifications:

• Preferred 10+ years of experience in security operations, incident response, or DFIR roles.
• Strong technical knowledge of Windows, Linux, SaaS, and cloud (AWS/Azure) environments.
• Experience developing and implementing IR plans, playbooks, and procedures.
• Hands-on expertise with forensics tools, SIEM, EDR, case management platforms, and scripting languages (e.g., Python, PowerShell).
• Proven experience in cross-functional coordination during live incident response.
• Excellent written and verbal communication skills, including executive reporting and technical documentation.

Preferred:

• Experience working with external IR retainers or MSSPs.
• Familiarity with threat frameworks such as MITRE ATT&CK.

Certifications such as GCFA, GCIH, CISM, or related credentials.

Position Details:

• Clearance: NA
• US Citizen or Green Card holder
• Travel: < 10% (CONUS)
• Centurion Consulting Group, LLC is an Equal Opportunity EmployerEOE M/F/D/V
• No third parties or subcontractors