Staff Incident Response Analyst

About AlphaSense:  The world’s most sophisticated companies rely on AlphaSense to remove uncertainty from decision-making. With market intelligence and search built on proven AI, AlphaSense delivers insights that matter from content you can trust. Our universe of public and private content includes equity research, company filings, event transcripts, expert calls, news, trade journals, and clients’ own research content. The acquisition of Tegus by AlphaSense in 2024 advances our shared mission to empower professionals to make smarter decisions through AI-driven market intelligence. Together, AlphaSense and Tegus will accelerate growth, innovation, and content expansion, with complementary product and content capabilities that enable users to unearth even more comprehensive insights from thousands of content sets. Our platform is trusted by over 6,000 enterprise customers, including a majority of the S&P 500. Founded in 2011, AlphaSense is headquartered in New York City with more than 2,000 employees across the globe and offices in the U.S., U.K., Finland, India, Singapore, Canada, and Ireland. Come join us! About the Role: We are hiring a Staff Incident Response Analyst to serve as the technical escalation point for our L2 SOC analysts and 24/7 managed detection and response (MDR) partner. When a case exceeds what an L2 can handle — complex forensics, multi-system intrusions, ambiguous attacker behavior, or high-stakes containment decisions — it lands with you. You are the last line of technical defense before the Security Operations Manager is pulled in. This is a deeply hands-on role. You will spend the majority of your time in tooling: hunting through the SIEM, pulling host artifacts via EDR remote access, tracing IAM chains in cloud audit logs, and reconstructing attacker timelines from raw evidence. You are expected to know what you are looking at without being told, and to be faster and more thorough than the analysts escalating to you. Core Responsibilities: Escalation Handling & Incident Leadership Receive and own L2 escalations across all severity levels; take over technical lead role on Sev2+ Scope incidents accurately and quickly: determine blast radius, affected assets, and attacker objectives from available telemetry Make and document containment decisions — endpoint isolation, account suspension, token revocation, network block — with clear rationale Maintain a forensically sound incident timeline: ordered evidence, source attribution, and chain-of-custody throughout Communicate incident status to the Security Operations Manager with enough fidelity to brief upward without needing to re-investigate Drive incidents to documented closure: root cause, attacker path, affected assets, and defensive gaps identified Host & Endpoint Forensics Perform deep-dive endpoint triage via EDR: process tree analysis, remote artifact collection, behavioral event review, and custom detection rule evaluation Reconstruct attacker activity from Windows forensic artifacts: Prefetch, Shimcache, Amcache, MFT, $USNJrnl, event logs (4624, 4688, 4698, 7045), and registry hives Analyze Linux host artifacts: bash history, cron jobs, /tmp and /var/log contents, SUID binaries, and persistence mechanisms Perform memory forensics when warranted: process injection, credential extraction artifacts, and in-memory malware indicators Extract and analyze malware samples statically and dynamically: PE header review, strings, YARA matching, and sandbox detonation interpretation Cloud Incident Response — AWS & GCP Lead AWS-based IR: CloudTrail forensics, IAM chain reconstruction, EC2 isolation, S3 access pattern analysis, Lambda execution review Identify and respond to IMDS credential abuse, assumed-role lateral movement, and cross-account privilege escalation Investigate container and serverless incidents: ECS task behavior, Lambda invocation logs, and abnormal API call sequences Correlate VPC Flow Logs, native threat detection findings, and S3 access logs against SIEM events to build a complete cloud-side timeline Handle GCP incidents using Cloud Audit Logs, Cloud Logging, and IAM policy review in a multi-cloud context Use cloud security posture management (CSPM) findings and runtime data as investigative context during active incidents Identity & SaaS Forensics Investigate identity provider incidents: admin audit log review, session anomaly analysis, suspicious app assignments, MFA bypass patterns, and provisioning events Perform customer identity and access management (CIAM) forensics: authentication log analysis, abnormal grant flows, token misuse, and tenant-level anomaly investigation Reconstruct identity-based attack chains across the IdP, cloud IAM, and application layers — from initial credential compromise through lateral movement Identify and respond to OAuth abuse, token theft, session hijacking, and federated identity attacks Threat Hunting & Detection Contribution Conduct structured threat hunts in the SIEM using detection rule logic, event correlation queries, and multi-source pivoting Hunt for attacker behavior that existing detections miss: living-off-the-land techniques, LOLBins, slow-and-low persistence, and C2 beaconing patterns Translate hunt findings and post-incident learnings into specific detection recommendations or rule drafts for the Security Operations Manager Contribute to ATT&CK coverage visibility by flagging technique gaps surfaced during investigations or hunts L2 Escalation Support & Quality Take escalation handoffs from L2 analysts and the MDR partner; provide technical direction when an analyst is stuck, not just take the case Review escalation packages for completeness and accuracy — push back when context is insufficient and coach on what’s missing Identify recurring escalation patterns and flag them to the Security Operations Manager as potential L2 training gaps or detection tuning needs