Incident Response and Forensic Analyst, CSIRT Member

About Swiss Post Cybersecurity

We offer companies and public authorities a comprehensive range of security solutions to better protect sensitive data and meet growing security requirements.

Swiss Post Cybersecurity was established in July 2024 through the merger of terreActive and Hacknowledge and is based in Aarau and Morges.

Due to a rapidly growing volume of engagements, we are looking for an Incident Response and Forensic Analyst to join our Incident Response Team, starting end of summer, or by arrangement. The ideal candidate brings solid expertise and hands-on experience to help protect our customers from cyberattacks.

Mandatory requirements

• You live within approximately one hour of Aarau or Zurich, or are willing to relocate to the area. EU candidates ready to relocate may be considered.
• You have strong verbal and written communication skills in German (C1 minimum) and English (C1 minimum); French is a plus.
• You are willing to participate in a 24/7 on-call rotation, with potential emergency travel to customer sites.

Your responsibilities

• Investigate and triage suspicious activity on workstations and information systems, from initial doubt to confirmed incident.
• Assist clients in managing security incidents, including APT intrusions, ransomware, BEC, data exfiltration, insider threats, web application compromises, phishing and credential theft, etc.
• Conduct proactive threat hunting to identify past or ongoing compromises.
• Support clients during crisis situations, including containment, eradication, and recovery phases.
• Lead kickoff meetings and present clear, actionable analyses to clients.
• Provide pragmatic recommendations, such as reconstruction plans for compromised environments.
• Collaborate closely with the SOC to improve real-time detection capabilities.
• Contribute to the full range of team activities, including tabletop exercises and threat intelligence.
• Enhance team expertise by enriching methodologies, sharing research (tools, articles, insights), and developing and testing tools.
• Build and deliver training sessions in academic or professional environments.
• Promote CSIRT activities through impactful publications.

Your profile

• At least 3 years in a SOC/CSIRT environment, including 2 years of hands-on incident response involving advanced threats (APT, ransomware, BEC).
• Deep understanding of operating system internals and/or reverse engineering (Windows internals, Win32 API, Active Directory, GNU/Linux), as well as hands-on forensics and incident response in public cloud environments (Azure/AWS/GCP, including M365/Entra ID).
• Familiarity with incident response tools and processes (e.g. Velociraptor, KAPE, Plaso).
• Proficiency in scripting or development to automate repetitive tasks, such as intrusion detection scenarios.
• Bonus: familiarity with macOS or mobile forensics (Android/iOS).
• Bachelor's or Master's degree in a relevant field and/or industry certifications are a plus.

What we offer

• Collaborative efforts thrive within an efficient, engaged, friendly and well-synchronized team.
• Spanning Aarau, Morges and Luxembourg, with access to facilities across our locations.
• Individual flexibility is supported through adaptable hours and remote work options.
• Resources and funding are available for both internal and external skill development.
• Tailored LPP/BVG conditions provide competitive benefits.

Job Ref: bkNYT0leekVZXl9GS15DRUQQSVlDWF5qWVpJWQRJQg==