Sr Cybersecurity IR Engineer

About Firefly Aerospace
As an end-to-end responsive space company, Firefly Aerospace is on a mission to enable our world to launch, land, and operate in space – anywhere, anytime. Our small- to medium-lift launch vehicles, lunar landers, and orbital vehicles allow us to service the entire lifecycle of government and commercial missions from low Earth orbit to the Moon and beyond. We utilize carbon composite structures, patented propulsion technologies, and common components across our vehicles to iterate quickly, improve reliability, and deliver payloads at a lower cost.

Summary
As a
Senior Incident Response Engineer (Detection & Response)
at Firefly, you will own
triage, threat hunting, investigation, containment, and reporting
for our security alerts and user-reported phishing. You will turn alerts from world-class systems into decisive outcomes, tune detections to reduce noise, and build custom rules and safeguards to protect Firefly data (including CUI) in alignment with compliance requirements. You will collaborate closely with Cybersecurity engineers, our GRC team, and a security operations engineer focused on dashboards/automation, using Python and Bash to streamline response and improve time-to-containment.

Responsibilities
Alert Triage, Incident Response & Threat Hunting:

• Monitor and triage alerts from SIEM, EDR, Identity Protection, and risky-user analytics; determine severity, scope, and next actions.
• Proactive threat hunting: develop hypotheses, pivot through endpoint/identity/cloud/email telemetry (e.g., FQL/KQL), enrich with intel, validate findings, and convert successful hunts into durable detections/runbooks.
• Execute and coordinate containment/eradication (host isolation, process kill, account disable, token/session revocation, conditional access changes, email purge) and handoffs to platform owners when needed.
• Operate the user-reported phishing pipeline end-to-end (header analysis, safe detonation, artifact extraction); orchestrate tenant-wide purge and user notifications; feed outcomes into awareness and detection tuning.
• Preserve evidence, maintain timelines, and drive root-cause analysis with clear communications to stakeholders.
• Track and improve MTTD/MTTR; participate in a light on-call rotation for priority incidents.

Detection Engineering & SIEM Content

• Write and tune detections, watchlists, and anomaly rules to reduce false positives and increase coverage on high-impact TTPs.
• Build dashboards and alert pipelines in NG-SIEM; adopt detection-as-code practices (Git PRs, versioning, testing).

CUI Protection & Compliance Enablement

• Implement and tune data loss prevention (DLP), labeling, and auto-classification controls for Firefly data; create detections for data mishandling and exfiltration paths.
• Produce incident documentation aligned to NIST SP /CMMC (e.g., incident handling, monitoring, reporting evidence) and support audits/tabletops.

Automation & Tool Development

• Develop Python/Bash utilities to accelerate triage, enrichment, and evidence collection; partner with the security operations engineer to productionize repeatable workflows.
• Integrate playbooks and scripts into existing pipelines to remove toil and improve consistency.

Documentation & Knowledge Management

• Create and maintain IR runbooks, playbooks, and post-incident report templates; deliver concise executive summaries and technical post-mortems.
• Mentor junior responders and contribute to team readiness through drills and training.

Qualifications
Required:

• Bachelor's degree in Computer Science, Information Security, or related field (or equivalent hands-on experience).
• 5+ years in SOC/Incident Response/Threat Detection & Response with end-to-end ownership of investigations.
• Hands-on experience with CrowdStrike Falcon (EDR, Identity Protection) and NG-SIEM/LogScale, or similar enterprise tools.
• Proficiency in Python and Bash for automation and tooling.
• Experience writing/tuning detections and applying MITRE ATT&CK in practice.
• Experience implementing/operating data protection for sensitive data and familiarity with CMMC/NIST SP incident-handling and monitoring controls.
• Strong written and verbal communication skills, including executive-grade incident reporting and stakeholder updates.

Desired

• Experience operating phishing programs at scale (analysis, purge, feedback loops).
• Identity incident response expertise (MFA fatigue, impossible travel, token theft, conditional access tuning).
• Detection-as-code workflows (Git, PR reviews, testing) and dashboarding in NG-SIEM/LogScale.
• Certifications such as GCIA, GCIH, GCED, GMON, GCFA, CFR, CISSP, CrowdStrike CCFR/CCFA.
• Familiarity with Jira/Confluence and evidence collection for audits.

Firefly offers outstanding benefits for our employees, including generous health, dental and vision plans with low plan deductibles, parental leave, educational reimbursement, short-term disability, and flexible PTO options.

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

Firefly Aerospace, Inc. is an Equal Opportunity Employer; employment with Firefly is governed based on merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.