What Does an Incident Responder Do?
The Short Version
An Incident Responder (a.k.a. CSIRT Engineer or Intrusion Analyst) is a cyber firefighter, rapidly addressing security incidents and threats within an organization.
In your role as a first responder, you will be using a host of forensics tools to find the root cause of a problem, limit the damage and see that it never happens again. Like a firefighter, part of your job will also involve education and prevention.
Incident Responder Responsibilities
On the ground level, your job is to keep attacks from occurring and/or prevent them from getting worse. During the course of your day, you may be required to:
- Actively monitor systems and networks for intrusions
- Identify security flaws and vulnerabilities
- Perform security audits, risk analysis, network forensics and penetration testing
- Perform malware analysis and reverse engineering
- Develop a procedural set of responses to security problems
- Establish protocols for communication within an organization and dealings with law enforcement during security incidents
- Create a program development plan that includes security gap assessments, policies, procedures, playbooks, training and tabletop testing
- Produce detailed incident reports and technical briefs for management, administrators and end-users
- Liaison with other cyber threat analysis entities
Some Incident Responders work as independent consultants; others are employed by large organizations. If you are a member of a Computer Security Incident Response Team (CSIRT), you will typically report to a CSIRT Manager.
Incident Responder Career Paths
Just starting out? It’s possible to gain basic experience in security and incident response as a:
- Security Administrator
- Network Administrator
- System Administrator
Or you could choose to make the leap from Forensics.
After you have a few years under your belt, you might wish to lead your team as a CSIRT Manager or Director of Incident Response.
“Incident Responder” is the generic term. Equivalent job titles include:
- Computer Security Incident Response Team (CSIRT) Engineer
- Cyber Incident Responder
- Incident Response Engineer
- Cyber Security Incident Responder
- Computer Network Defense (CND) Incident Responder
Some companies may be looking for an Intrusion Detection Specialist, Network Intrusion Analyst or Forensics Intrusion Analyst with the same qualifications.
Incident Responder Salaries
Since this is a niche job, standard salary figures from the BLS and Payscale can be hard to come by. What’s more, Incident Responders often get flex time – they might work two 24-hour shifts to deal with a single incident and then have the rest of the week off.
In our search of Indeed using the keywords “incident response”, the two most popular salary estimates were $50,000-$70,000 and $70,000-$90,000 (2014 figures).
For the keywords “incident response analyst”, these figures climbed to $70,000-$90,000 and $90,000-$110,000 (2014 figures).
As you might expect, Incident Response team leaders get paid more. Their salaries range from $100,000-$150,000.
Incident Responder Job Requirements
Most Incident Responders don’t hold a specialized degree. A bachelor’s degree in Computer Science or the equivalent (e.g. Math, Electrical Engineering, Cyber Security, etc.) is nice, but it’s not always necessary.
Interested in better job opportunities and/or CSIRT management? You could consider a master’s degree in Information Assurance or Information Security with a focus on incident response. Some universities even offer an incident response management track.
The norm appears to be 2-3 years of security/incident response experience. Job listings for Senior Incident Responders and Senior Intrusion Analysts usually demand 5+ years of relevant experience.
Incident Responders are expected to know their systems inside-out. Forensics skills are equally valued. Employers (like Google) will want to see you’re capable of responding to security problems in target-rich environments. Sample skills include:
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java, ASM, PHP, PERL
- TCP/IP-based network communications
- Computer hardware and software systems
- Operating system installation, patching and configuration
- Backup and archiving technologies
- Web-based application security
- eDiscovery tools (NUIX, Relativity, Clearwell, etc.)
- Forensic software applications (e.g. EnCase, FTK, Helix, Cellebrite, XRY, etc.)
- Enterprise system monitoring tools and SIEMs
- Cloud computing
Being a first responder can be a stressful, pressure-packed job. That means employers and hiring agencies are looking for flexible, adaptable and down-to-earth candidates. Panickers and procrastinators need not apply.
Incident Responders act as detectives, so find ways to highlight your problem-solving and analytical skills. Can you write clearly and concisely? Do you know how to speak to a room full of non-technical colleagues and executives? Great oral and communication skills are a huge plus.
Certifications for Incident Responders
Incident Responders are close siblings to Forensics Experts, so you will see many of the same certifications in job descriptions. Certification requirements will vary from job to job, so we always recommend talking to employers and senior-level colleagues for their opinion.
- CCE: Certified Computer Examiner
- CEH: Certified Ethical Hacker
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- GCIH: GIAC Certified Incident Handler
- GCIA: GIAC Certified Intrusion Analyst
- CCFE: Certified Computer Forensics Examiner
- CPT: Certified Penetration Tester
- CREA: Certified Reverse Engineering Analyst