[Remote] Staff Incident Response Analyst

Note:The job is a remote job and is open to candidates in USA. GitHub is the world’s leading platform for agentic software development. As a Staff Incident Response Analyst, you will design and implement solutions to address identified security incidents and drive strategic improvements in security policy and best practices. Responsibilities • Identify, triage, and validate security incidents by correlating telemetry across SIEM/EDR, cloud-native logs, identity signals, and application events (e.g., bolthires Sentinel/Splunk, Defender, WAF logs, etc) • Design solutions to address identified security incidents across network, identity, endpoint, cloud, and application security domains—evaluating both intended and unintended consequences (e.g., business disruption, alert suppression, access friction, logging gaps) • Lead proactive prevention efforts by hardening detection coverage and response playbooks against common attack paths (phishing → token theft → privilege escalation → lateral movement → data exfiltration) and driving strategic initiatives leveraging both new and existing technology • Define response-ready technical controls including detection use cases (MITRE ATT&CK-mapped), log onboarding/normalization, detection tuning, threat hunting hypotheses, and incident severity/impact scoring • Provide technical leadership during investigations, including rapid scoping, affected-asset identification, and root cause analysis; preserve evidence and maintain chain-of-custody for forensics as needed • Lead the creation of automation to drive efficiencies in incident response processes by building and maintaining SOAR workflows for enrichment, containment, and notification • Automate first-responder actions such as IOC extraction, threat intel lookups, user/entity enrichment, suspicious inbox search, endpoint isolation, token revocation, conditional access enforcement, and block rules (DNS/Proxy/Firewall/WAF) • Collaborate with cross-functional teams (IT, IAM, Network, Cloud, AppSec, Legal/Privacy) to resolve issues with incident coordination processes and new automation, improve reliability, add guardrails, and reduce false positives/unsafe actions • Contribute to service direction and roadmaps by defining measurable automation outcomes (MTTD/MTTR reduction, alert-to-incident conversion quality, % auto-contained incidents) and prioritizing high-volume, high-confidence workflows • Establish automation quality practices: version control, testing in staging, rollback plans, least-privilege service principals, and secure secret management (e.g., Vault/Key Vault) • Drive strategic improvements across partner and stakeholder teams in security policy, standards, and best practices—translating incident learnings into durable control improvements • Prioritize development and implementation of policies tied to real incident drivers: log retention and coverage, endpoint hardening baselines, privileged access management, MFA/conditional access, vulnerability SLAs, secure remote access, and data handling standards • Refine security policies by operationalizing them into technical requirements and controls (e.g., CIS benchmarks, secure configuration baselines, centralized logging standards, incident severity definitions, evidence retention) • Ensure policies are measurable and enforceable via control validation (auditing, configuration monitoring, compliance checks) and periodic tabletop exercises to verify incident readiness • Educate and engage internal teams and external partners to drive consistency and awareness of security risks, best practices, and standards—especially around incident reporting, escalation paths, and containment expectations • Translate complex technical findings (e.g., token replay, Kerberoasting indicators, OAuth consent abuse, cloud IAM misconfigurations) into clear business impact, likelihood, and remediation guidance for nontechnical stakeholders • Develop and deliver executive-ready reporting on security risks and remediation strategies, including incident timelines, scope, containment actions, root cause, corrective actions, and residual risk • Lead cross-org incident reviews (post-incident retrospectives/blameless RCAs) and drive corrective action plans with owners, due dates, and verification steps • Partner with engineering/product teams to define new security requirements and feature sets (e.g., additional audit logging, stronger authentication flows, rate limiting, improved anomaly detection hooks) • Conduct high-level analysis and engage team members to address patterns in key metrics (MTTD, MTTR, containment time, recurrence rate, false positive rate, detection coverage by ATT&CK technique) • Leverage multiple data sources to identify anomalies, trends, and control gaps driving incidents • Build and refine dashboards and reporting that enable leadership decisions, including top incident drivers, control effectiveness, high-risk assets, and recurring misconfigurations • Stay current on emerging threats/techniques and drive adoption of analytical methods such as behavior analytics, baselining, enrichment with threat intel, and detection engineering improvements • Influence action based on findings, prioritized by severity and exploitability—tracking remediation to closure and validating outcomes with follow-up detection and control testing Skills • 10+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Associate's Degree AND 9+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Bachelor's Degree AND 8+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Master's Degree AND 6+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Doctorate AND 4+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR equivalent experience • 14+ years experience in Security Operations, security research, cyber security, security engineering, or relevant area • OR Associate's Degree AND 13+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Bachelor's Degree AND 12+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Master's Degree AND 10+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR Doctorate AND 8+ years experience in security analysis, security research, cyber security, security engineering, or relevant area • OR equivalent experience • 5+ year(s) leading and/or being a senior leader for a security function/program (e.g., Security Operations Center [SOC], threat and vulnerability management [TVM], Security Development Lifecycle) • Certified Information Systems SecurityProfessional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), GIAC Certified Incident Handler (GCIH), GIAC Certified Penetration Tester (GPEN), Offensive Security CertifiedProfessional (OSCP), Security+, or other relevant certification • 1+ year(s) experience working with GitHub and/or open source software • 2+ years experience working with application security tools (SAST, DAST, SCA) and/or performing security review activities (threat modeling, security design and architecture review, application security testing and code review) within the development lifecycle Benefits • Annual bonus • Stock • Learning and growth opportunities Company Overview • GitHub is a software company that offers code hosting services that allow developers to build software for open-source and private projects.It is a sub-organization of bolthires. It was founded in 2008, and is headquartered in San Francisco, California, USA, with a workforce of 501-1000 employees. Its website is Company H1B Sponsorship • GitHub has a track record of offering H1B sponsorships, with 23 in 2025, 17 in 2024, 14 in 2023, 20 in 2022, 20 in 2021, 10 in 2020. Please note that this does not guarantee sponsorship for this specific role. Apply tot his job