Summary This position is located within the Department of Technology Services (DTS), Information Technology Security Office (ITSO). The incumbent is a recognized IT security expert with a strong defensive cyber background and "hands-on" experience in incident response. The incumbent will perform multiple and varying assignments under the direction of the Chief, Incident Response Branch - Security Operations Division Responsibilities The Incident Response Subject Matter Expert (SME) under the direction of an Incident Commander, is responsible for analyzing intrusion alerts, assessing impact, implementing containment measures to limit threat propagation, and facilitating the recovery of compromised systems. This role supports 24x7x365 security operations and requires availability between 0600 and 2100 EST during incident response activities, with additional on-call responsibilities for weekends and after-hours incidents. The incumbent must be able to perform the tasks and meet the knowledge and skill statements as described in NIST Special Publication 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce for the roles of Defensive Cybersecurity (PD-WRL-001) and Incident Response (PD-WRL-003). Duties include, but are not limited to the following: Conducting thorough analysis of network, endpoint, and application logs to identify and assess intrusions, determine their impact, and implement appropriate containment strategies to mitigate threats. Providing timely and accurate incident status updates to key stakeholders, including the incident commander, SOC leaders, and executives. Developing and tests enterprise-wide detection and response capabilities, including endpoint artifact retrieval, isolation techniques, and Yara rule creation, to improve threat detection and containment at scale. Maintaining and enhances the organization's incident response framework by defining and refining incident declaration processes, updating the Judiciary's Incident Response Plan, and identifying gaps in existing procedures. Driving continuous improvement through the development and validation of readiness exercises, standard operating procedures, and playbooks, while pioneering innovative incident response techniques for PaaS and SaaS cloud environments and leveraging automation to streamline response efforts Requirements Conditions of Employment CONDITIONS OF EMPLOYMENT All information is subject to verification. Applicants are advised that false answers or omissions of information on application materials or inability to meet the following conditions may be grounds for non-selection, withdrawal of an offer of employment, or dismissal after being employed. Selection for this position is contingent upon completion of OF-306, Declaration of Federal Employment during the pre-employment process and proof of U.S. citizenship for competitive status positions or conversion to a competitive status position with the AO. If non-citizens are considered for hire into a temporary or any other position with non-competitive status or when it is confirmed by the AO Human Resources Office there are no qualified U.S. citizens for a competitive status position (unless prohibited by a law or statue), non-citizens must provide proof of authorization to work in the U.S. and proof of entitlement to receive compensation. Additional information on the employment of non-citizens can be found at USAJOBS Help Center | Employment of non-citizens/. For a list of documents that may be used to provide proof of citizenship or authorization to work in the United States, please refer to Form I-9, Employment Eligibility Verification. All new AO employees will be required to complete an FBI fingerprint-based national criminal database and records check and pass a public trust suitability check. New employees to the AO will be required to successfully pass the E-Verify employment verification check. To learn more about E-Verify, including your rights/responsibilities, visit https://www.e-verify.gov/. All new AO employees are required to identify a financial institution for direct deposit of pay before appointment. You will be required to serve a trial period if selected for a first-time appointment to the Federal government, transferring from another Federal agency, or serving as a first-time supervisor. Failure to successfully complete the trial period may result in termination of employment. If appointed to a temporary position, management may have the discretion of converting the position to permanent depending upon funding and staffing allocation. Qualifications Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions. Applicants must have at least one full year (52 weeks) of specialized experience, which is in or directly related to the line of work of this position. Specialized experience is demonstrated experience in ALL of the following: Development experience to include proficiency in 1 or more of the following: .NET, PowerShell, C# or Python. Comprehensive understanding of adversarial techniques, with the capability to technically diagram and articulate the stages of an intrusion. SME-level experience examining enterprise audit logs including Windows Event Log and Sysmon in Windows environments, and auditd in Linux environments. Knowledge of forensic methodologies and the processes involved in collecting, preserving, and analyzing digital evidence to accurately reconstruct events and support incident response efforts. Experience in analyzing sophisticated attacker techniques that exploit email and cloud services as attack vectors. Desired, but Not Required: GIAC Certified Incident Handler (GCIH) GIAC Certified Forensic Analyst (GCFA) GIAC Certified Forensic Examiner (GCFE) GIAC Cloud Incident Response (GCIR) Certified Information Systems Security Professional (CISSP) Education This position does not require education to qualify. Additional Information The AO is an Equal Opportunity Employer.