Lead Cyber Incident Responder

The role
This is a Lead Cyber Incident Responder role with a Federal Government Department, sitting in their Cyber Security Incident Response Team (CSIRT). You'll be running technical IR end-to-end - detection, triage, containment, eradication, recovery, post-incident review across a federal department's environment. You'll also drive incident comms, develop and test the IR plan, tune alerts, optimise response processes, and mentor the rest of the team. The CSIRT lives in the Microsoft security stack, so deep Sentinel and Defender experience is essential.

About you

• 5+ years hands-on cyber security incident response experience, leading incidents end-to-end (not just SOC L1/L2 triage)
• Strong technical depth in Microsoft Sentinel (writing KQL, building detections, tuning alerts) and Microsoft Defender XDR / Defender for Endpoint
• Excellent written and verbal communication, i.e. you can brief execs during an active incident and write up technical findings for non-technical stakeholders
• Australian citizen, able to obtain Negative Vetting Level 1 (active NV1 or higher is highly preferred)
• Canberra-based is preferred; strong candidates in Brisbane, Melbourne or Sydney will be considered
• Comfortable with on-call and occasional out-of-hours / weekend work
• Bonus: previous APS, Defence, or critical infrastructure IR experience

• 12-month contract, 2 × 12-month extensions available (up to 3 years total)
• EL1-equivalent day rate (final rate confirmed at submission)
• Hybrid working, up to 2 days WFH per week
• Estimated start date: late June 2026
• Genuine technical Lead role - mentor a team, shape the IR program, not just run tickets