Job Description

ECS is seeking an Advanced Threat Team Lead - Senior to support the Army National Guard (ARNG) Enterprise Network Operations and Cybersecurity Support (ENOCS) program. This role supports Task 3 — Cybersecurity Operations Support — by leading advanced threat and insider threat monitoring operations across ARNG classified and unclassified network environments. The Advanced Threat Team Lead - Senior directs analytic strategy, detection development, and investigation workflows; integrates threat intelligence with user activity monitoring, behavioral analytics, and enterprise security telemetry; and coordinates closely with SOC, CIRT, CTI, defensive cyber, and security engineering teams to improve threat detection and response in support of DCO-IDM objectives across the DoDIN-Army-NG area of responsibility.

In this role, the selected candidate contributes to the protection of an enterprise supporting more than 120,000 users and approximately 141,000 endpoints across about 2,800 sites in 54 states and territories. The position supports ARNG missions spanning Title 10 and Title 32 operations, mobilization readiness, domestic emergency response, and classified SIPRNet operations. The role operates within ENOCS’ cyber defense environment, leveraging integrated SIEM/C2C/DLP analytics, USIEM detection engineering, EDR, SOAR, Zeek metadata, Sysmon-informed MITRE ATT&CK analytics, and coordination with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCCs to identify anomalous behavior, prioritize mission risk, and strengthen continuous monitoring and enterprise cyber resiliency.

Please Note: This position is contingent upon contract award.

Responsibilities

• Lead advanced threat and insider threat monitoring activities by directing analytic priorities, investigation workflows, and detection refinement across ARNG enterprise environments.
• Integrate threat intelligence, user activity monitoring, behavioral analytics, and security telemetry to identify anomalous behavior, high-risk events, and emerging threat patterns.
• Develop, tune, and oversee advanced detections using MITRE ATT&CK-based analytic methods to improve proactive identification of adversary tactics, techniques, and procedures.
• Coordinate with SOC Tier 2, Cyber Incident Response Team (CIRT), cyber threat intelligence, defensive cyber, and security engineering personnel to escalate, investigate, and resolve complex security events.
• Leverage USIEM and integrated SIEM/C2C/DLP analytics, along with relevant data sources such as Zeek metadata and Sysmon monitoring, to improve enterprise visibility and machine-speed response.
• Prioritize investigations and reporting based on mission risk and operational impact to ARNG support for Title 10, Title 32, mobilization readiness, domestic emergency response, and classified operations.
• Coordinate with NETCOM Global Cyber Center, DISA DCDC, ARCYBER, USCYBERCOM, and regional RCC stakeholders, as required, to support incident analysis, data feed alignment, and threat-informed defense activities.
• Establish and maintain analytic governance, documentation, and performance metrics that strengthen proactive threat identification and support continuous monitoring objectives.
• Ensure findings, investigative artifacts, and recommended response actions are documented clearly to support RMF requirements, cybersecurity reporting, and ongoing improvement of enterprise defenses.

Qualifications

Required Qualifications

U.S. Citizenship is required

Security Clearance: Secret Eligible

Required Certifications: DCWF Work Role 212-Cyber Defense Forensics Analyst — Advance proficiency; must hold ONE OR MORE of the following: GREM, CFR, CySA+, GCFA, GCFE, PenTest+

Experience: 7+ years of experience in cybersecurity

Education: Masters degree or higher in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, or Software Engineering

• Demonstrated ability to lead advanced threat monitoring and investigation activities across enterprise cybersecurity operations environments.
• Experience developing or refining analytic strategies, detection logic, and investigation workflows using threat intelligence and behavioral indicators.
• Experience correlating and analyzing multiple security data sources to identify anomalous activity, insider threat indicators, and high-risk events.
• Ability to document investigative findings, recommend response actions, and produce reporting aligned to continuous monitoring and governance needs.
• Experience coordinating across SOC, incident response, threat intelligence, defensive cyber, and engineering teams to improve detections and operational outcomes.
• Working knowledge of RMF-aligned cybersecurity operations and documentation practices supporting continuous assessment and enterprise security posture.
• Experience supporting cybersecurity operations in large, geographically dispersed environments with complex mission dependencies.