Senior Incident Response Analyst

Vancouver, CA, V6C 1W6

Technology Office

Sophos Overview – Cybersecurity Evolved

Sophos evolves to meet every new challenge, protecting more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyberthreats. Powered by SophosLabs, our cloud-native and AI-enhanced solutions are able to adapt and evolve to secure endpoints and networks against never-before-seen cybercriminal tactics and techniques. Managed through our award-winning, cloud-based platform, Sophos Central, our best-of-breed products work together through our unique Synchronized Security system to share threat intelligence and respond to evolving threats. The Sophos suite of products secures networks and endpoints against automated and active-adversary breaches, ransomware, malware, exploits, data exfiltration, phishing, and more.


Job Purpose

As a security company Sophos has an internal Cybersecurity team which focuses on protecting Sophos’ own systems, its products and its infrastructure.


This role is for an experienced Senior Incident Response Analyst to join our Cybersecurity “Blue team”.

This a great opportunity to help secure a world-leading security company. As you’d expect you’ll be joining an organization that takes cyber security seriously. You will get the opportunity to work with some world-leading experts from across the company in a fast-paced & exciting environment where security is a priority.


The ideal candidate will have real-world experience of defensive security, digital forensics & incident response and be familiar with using big-data analytics to hunt for threats.

We’ll need you to help us keep on premise and cloud infrastructure secure. This will involve working with leading commercial and open source tools as-well as establishing and maintaining strong links to industry experts and world-class specialist consultants.

You’ll need to be highly motivated, have an innovative mind-set and able to clearly articulate complex technical security issues.


Duties & Responsibilities

As part of this role you will:

  • Perform incident response investigations, containment and root cause analysis activities across multiple platforms including Windows, Mac and *nix estates
  • Recognize the attacker TTPs and create detections based on that understanding.
  • Perform threat intelligence operations with commercial and open-source toolsets.
  • Lead the Incident through its lifecycle, identifying root causes and documenting Post-incident actions for short/long term remediation.
  • Lead the incident through the incident lifecycle till the closure of the RCA
  • Present the RCA, PIR to senior management
  • Handle security incident escalations from Tier II and Tier III analysts
  • Be a security subject matter expert to support development and operational activities.
  • Actively participate in daily triage of SIEM events
  • Design and develop automation (SOAR) to ensure existing SOC processes are automatically escalated to respective teams.
  • Develop security monitoring and detection systems. Investigate anomalous events across our service infrastructure and coordinate response with DevOps teams
  • Recommend and help implement improved threat response capabilities into the DevOps platform
  • Have and maintain (via conferences, etc) a great knowledge of infosec industry trends and developments and advise on changes to the threat landscape.
  • Present and write blogposts highlighting key areas team has experienced/innovated in community forums and industry events.


Special Conditions

  • Willingness to work outside of standard business hours including weekends and holidays – our Global SOC works 24x7x365
  • Some global travel may be required (post pandemic)


Organizational Responsibility

  • Works closely with the Security Operations Centre, Sophos MTR team, SophosLabs experts, Product Security Engineers and IT.
  • Reports to the Global Security Operations Manager, based in Vancouver.


Skills & Experience


  • 5+ years in Digital Forensics and Incident response (DFIR)
  • Experience with building detection use cases and managing SIEM content.
  • Experience with any of the SIEM solutions - Splunk, Kibana, Logstash, Sumo Logic or similar.
  • Practical and operational experience with MITRE TTPs
  • Experience in presenting security incidents to Management
  • Scripting experience – Python/Javascript/Go/Powershell
  • Hands on experience of network, memory and host forensics.
  • Hands on experience investigating & responding to comprises by advanced attackers
  • Experience with SQL query construction 
  • Experience with OSQuery Programming and scripting skills - proficient knowledge of Powershell
  • Strong interpersonal skills
  • Experience with cloud security architectures – particularly AWS and its services
  • Deep knowledge of Operating system internals across Linux & Windows.
  • Educated to bachelor’s degree level or relevant experience.



  • Understanding of SDLC and DevSecOps.
  • Experience working in a global environment.
  • Contributions to open-source security projects and/or publications.
  • Knowledge of Sophos products.
  • Cross-platform knowledge of Enterprise IT infrastructure (Networking, Operating Systems, Databases, etc).
  • Security-related professional certification (SANS GIAC, GCIH, GPEN, GCFA, Splunk)


Equal Opportunities

Sophos is committed to equality opportunity in all areas of its work. All qualified applicants will be treated in a fair and equal manner and in accordance with the law regardless of gender, marital status, race, religion, colour, age, disability or sexual orientation.

If you choose to explore this opportunity, and subsequently share your CV or other personal details with Sophos, these details will be held by Sophos for 12 months in accordance with our Privacy Policy and used by our recruitment team to contact you regarding this or other relevant opportunities at Sophos.  If you would like Sophos to delete or update your details at any time, please follow the steps set out in the Privacy Policy describing your individual rights.  If you have any questions about Sophos’ data protection practices, please contact dataprotection@sophos.com.

At Sophos, we want every organization to be protected by innovative, next-generation IT security, even those who don't have a huge IT staff. We protect organizations of all sizes, all around the world by making enterprise-grade security that is simple to deploy, manage, and use. It is our passion, and something we are truly proud of.

Job Segment: Database, Linux, SQL, Open Source, Technology