Senior Incident Response Analyst

You’ve seen it all, or at least enough to know that no two incidents are ever the same. When an intrusion hits, your instinct kicks in: gather the evidence, map the attacker’s path, contain the damage, and help the customer bounce back stronger. You thrive in the chaos of an unfolding incident, and you bring calm, clarity, and technical precision to every situation.

At Expel, our Senior Incident Response Analysts are trusted partners and escalation points for complex investigations. You’ll lead detection, containment, and remediation across diverse environments, from on-prem infrastructure to cloud-native ecosystems. You’ll not only tackle incidents head-on but also help shape how Expel detects and responds to threats at scale.

This role is part investigator, part mentor, part builder. You’ll guide analysts through incident response, refine our detections and tools, and collaborate with engineering, engagement management, and product teams to drive Expel’s security roadmap forward. You’ll also have a front-row seat to some of the most sophisticated attacker tradecraft out there and the freedom to innovate on how we outsmart them.

• Lead high-impact investigations and guide customers through containment and remediation.
• Analyze and interpret complex security data to determine scope, impact, and root cause.
• Build and refine custom detections across multiple platforms, improving our threat visibility.
• Translate incidents into proactive strategies to strengthen customer resilience.
• Mentor SOC analysts and specialists, sharing expertise and raising the team’s bar.
• Collaborate closely with the Engineering and Product
  teams to improve our tooling and response workflows.
• Participate in 24x7 on-call rotations for major incident handling and escalations.
• Contribute to Expel’s blog or internal knowledge base to share lessons learned.

• Surround you with sharp, experienced peers who love learning as much as teaching.
• Give you exposure to diverse customer environments and attacker tactics.
• Offer autonomy, flexibility, and trust to experiment, improve, and drive outcomes.
• Support your continued learning with certifications, conferences, and structured mentorship.
• Provide transparent pay, flexible work, generous health benefits, and up to 24 weeks of parental leave.

• 4–6 years of hands-on experience in security operations or incident response.
• Advanced network protocol analysis skills (you know TCP/IP inside out).
• Deep knowledge of Windows internals, forensic artifacts, and live response techniques.
• Expertise with Linux and macOS command-line tools.
• Deep experience with EDR, SIEM, and IDS/IPS technologies.
• Familiarity with cloud investigations (AWS, GCP, Azure) and container security (Kubernetes, Docker).
• Solid understanding of attacker tradecraft, threat tactics, and MITRE ATT&CK.
• Bonus points for scripting (Python, PowerShell, Go, or similar).
• Excellent written and verbal communication where you can turn technical chaos into clear, actionable guidance.

The targeted compensation range for this role is between: $122,400 USD and $177,500 + equity.

We believe in paying transparently and equitably. Your salary will ultimately be based on factors such as your experience, skills, team equity, and market data. You’ll also be eligible for unlimited PTO (which we model and encourage), work location flexibility, up to 24 weeks of parental leave, and really excellent health benefits.

We're an Equal Opportunity Employer: You'll receive consideration for employment without regard to race, sex, color, religion, sexual orientation, gender identity, national origin, protected veteran status, or on the basis of disability.

We’ll ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please let us know if you need accommodation of any kind.

#LI-Remote