What Does an Incident Responder Do?
What is an Incident Responder?
An Incident Responder (a.k.a. CSIRT Engineer or Intrusion Analyst) is a cyber firefighter, rapidly addressing security incidents and threats within an organization. In your role as a first responder, you will be using a host of forensics tools to find the root cause of a problem, limit the damage and see that it never happens again. Like a firefighter, part of your job will also involve education and prevention.
Although the fields of incident response and forensics are gradually merging, we’ve kept Forensics Expert as a separate job description for the time being. You’ll notice that job responsibilities for incident responders can be more immediate than forensics—you may be engaged in pen testing and auditing, intrusion detection, and crisis-handling. Hard skills are important. So too is the ability to keep calm under intense pressure. In essence, your job is to keep attacks from occurring and/or prevent them from getting worse.
Incident Responder Job Responsibilities
During the course of your day, you may be required to:
- Actively monitor systems and networks for intrusions
- Identify security flaws and vulnerabilities
- Perform security audits, risk analysis, network forensics and penetration testing
- Perform malware analysis and reverse engineering
- Develop a procedural set of responses to security problems
- Establish protocols for communication within an organization and dealings with law enforcement during security incidents
- Create a program development plan that includes security gap assessments, policies, procedures, playbooks, training and tabletop testing
- Produce detailed incident reports and technical briefs for management, administrators and end-users
- Liaison with other cyber threat analysis entities
Some Incident Responders work as independent consultants; others are employed by large organizations. If you are a member of a Computer Security Incident Response Team (CSIRT), you will typically report to a CSIRT Manager.
Incident Responder Careers
Incident Responder Career Paths
Just starting out? It’s possible to gain basic experience in security and incident response as a:
- Security Administrator
- Network Administrator
- System Administrator
Or you could choose to make the leap from Forensics.
After you have a few years under your belt, you might wish to lead your team as a CSIRT Manager or Director of Incident Response.
“Incident Responder” is the generic term. Equivalent job titles include:
- Computer Security Incident Response Team (CSIRT) Engineer
- Cyber Incident Responder
- Incident Response Engineer
- Cyber Security Incident Responder
- Computer Network Defense (CND) Incident Responder
Some companies may be looking for an Intrusion Detection Specialist, Network Intrusion Analyst or Forensics Intrusion Analyst with the same qualifications.
Incident Responder Salaries
Since this is a niche job, standard salary figures from the BLS and Payscale can be hard to come by. What’s more, Incident Responders often get flex time – they might work two 24-hour shifts to deal with a single incident and then have the rest of the week off.
- In our search of Glassdoor for the keywords “incident response”, the salary estimate is $85,427 (2019 figures).
- In our search of Indeed for the keywords “incident response analyst”, these figures climbed to $70,000+ on the lowest end to $115,000+ on the highest (2019 figures).
Incident Responder Job Requirements
When it comes to incident responder jobs, experience counts for a lot. Employers will be pleased to see your BS in Cyber Security or Computer Forensics, but they may be equally impressed if you’ve earned a couple of relevant certifications (e.g. CPT, GCIH, etc.) and you’ve already worked with a CSIRT.
If you don’t have a lot of previous experience or a high-powered degree, think creatively. Talk to current CSIRT professionals (e.g. through LinkedIn or at a cyber security conference) and ask them how they got into the business. Most folks are remarkably helpful if you approach them with specific questions. You may also want to consider investing in an online bootcamp, free MOOC, or training course. The more exposure you can gain to the field, the better.
A number of Incident Responders don’t hold a specialized degree. A bachelor’s degree in Computer Science or the equivalent (e.g. Math, Electrical Engineering, Cyber Security, Computer Forensics, etc.) is nice, but it’s not always necessary if you have the right skills and on-the-job training.
Interested in better career opportunities and/or CSIRT management? You could consider a master’s degree in Information Assurance or Information Security with a focus on incident response. Some universities even offer an incident response management track.
The norm for lower-level and intermediate incident responder jobs appears to be 2-3 years of security/incident response experience. Job listings for Senior Incident Responders and Senior Intrusion Analysts usually demand 5+ years of relevant experience.
Incident Responders are expected to know their systems inside-out. Forensics skills are equally valued. Employers (like Google) will want to see you’re capable of responding to security problems in target-rich environments. Sample skills include:
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java, ASM, PHP, PERL
- TCP/IP-based network communications
- Computer hardware and software systems
- Operating system installation, patching and configuration
- Backup and archiving technologies
- Web-based application security
- eDiscovery tools (NUIX, Relativity, Clearwell, etc.)
- Forensic software applications (e.g. EnCase, FTK, Helix, Cellebrite, XRY, etc.)
- Enterprise system monitoring tools and SIEMs
- Cloud computing
Being a first responder can be a stressful, pressure-packed job. That means employers and hiring agencies are looking for flexible, adaptable and down-to-earth candidates. Panickers and procrastinators need not apply.
Incident Responders act as detectives, so find ways to highlight your problem-solving and analytical skills. Can you write clearly and concisely? Do you know how to speak to a room full of non-technical colleagues and executives? Great oral and communication skills are a huge plus.
Certifications for Incident Responders
Incident Responders are close siblings to Forensics Experts, so you will see many of the same certifications in job descriptions. Certification requirements will vary from job to job, so we always recommend talking to employers and senior-level colleagues for their opinion.
- CCE: Certified Computer Examiner
- CEH: Certified Ethical Hacker
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- GCIH: GIAC Certified Incident Handler
- GCIA: GIAC Certified Intrusion Analyst
- CCFE: Certified Computer Forensics Examiner
- CPT: Certified Penetration Tester
- CREA: Certified Reverse Engineering Analyst