Incident Response and Digital Forensics Expert

Benefits

Additional Information

Job Description Summary As part of the Sandoz Security Operations Center, the Incident Response and Digital Forensics Expert delivers fast, structured responses to cybersecurity events while working closely with SOC, SecOps leadership, and key internal stakeholders. This role focuses on triage, containment, and remediation of incidents, using industry‑leading tools to conduct evidence acquisition and forensic analysis across endpoints, servers, cloud environments, and network data. The mission is to uphold world‑class incident response capabilities, provide defensible forensic findings, and support decision‑making during Major Incident Management (MIM) calls. This role works cross‑functionally to strengthen Sandoz's global security posture and safeguard the organisation from evolving cyber threats. Job Description Sandoz continues to go through an exciting and transformative period as a global leader and pioneering provider of sustainable Biosimilar and Generic medicines. As we continue down this new and ambitious path, unique opportunities will present themselves, both professionally and personally. Join us, the future is ours to shape! Job Summary As part of the Sandoz Security Operations Center, the Incident Response and Digital Forensics Expert delivers fast, structured responses to cybersecurity events while working closely with SOC, SecOps leadership, and key internal stakeholders. This role focuses on triage, containment, and remediation of incidents, using industry‑leading tools to conduct evidence acquisition and forensic analysis across endpoints, servers, cloud environments, and network data. The mission is to uphold world‑class incident response capabilities, provide defensible forensic findings, and support decision‑making during Major Incident Management (MIM) calls. This role works cross‑functionally to strengthen Sandoz's global security posture and safeguard the organisation from evolving cyber threats . Your Key Responsibilities Incident Response - 70% Oversee security operations and ensure stable, compliant, and secure service Own incident handling for low‑to‑high complexity events: validate alerts, determine scope, prioritize actions, and coordinate response across SOC/SecOps and third-party vendors. Run containment and remediation steps from approved playbooks (isolate hosts, revoke tokens, block IOCs, quarantine mail, reset credentials, collect live data). Keep an accurate incident timeline and evidence record; update tickets and communicate status to stakeholders using established templates and escalation paths. Join war-rooms and MIM calls, present technical findings clearly, and help drive decisions under pressure. Execute practical evidence collection and analysis across endpoints, servers, cloud services and network sources when required; preserve confidentiality and follow Legal/HR processes for sensitive cases. Improve playbooks, detection coverage and automations (KQL, PowerShell, Python) to reduce manual work and speed response. Participate in tabletop exercises, purple‑team activities and runbook validation to keep the team ready. Produce defensible management/C-level reports documenting relevant incidents with focus on RCA identification and recommendations. Digital Forensics & Investigation (30%) Analyze artifacts and logs (host timelines, process trees, authentication events and network flows) to determine scope, impact and likely entry vectors. Conduct basic malware triage and escalate advanced cases to SOC LT. Perform live response and forensics evidence acquisition across various systems preserving integrity and confidentiality and adhering to applicable legal and regulatory requirements for sensitive cases. Deliver concise, technical evidence and reports that document methods, tools and results for internal review, incident reports and/or continuous improvement. Maintain and improve the forensic toolkit and standard operating procedures. Ensure evidence handling and retention meet approved standards and regulatory requirements; surface process or tooling gaps for review. Technical Skills Strong understanding of network protocols, security controls, and threat intelligence (TTPs, IOCs/IOAs, MITRE ATT&CK). Proficiency with SIEM, SOAR, and EDR platforms; practical experience with Microsoft Defender for Endpoint/XDR (alert triage, KQL hunting, timelines, live response, remediation). Hands‑on forensic evidence acquisition using tools such as THOR, KAPE, Sleuth Kit, Velociraptor, etc. Experience with cloud incident response and identity‑centric attacks (Azure AD, M365, AWS/GCP). Ability to perform basic malware triage; familiarity with reverse‑engineering tools is a plus. Scripting/automation in Python and PowerShell; strong Windows/macOS troubleshooting (Linux is a plus). Minimum Requirements What you'll bring to the role: 3-5 years of experience in Security Operations, with hands‑on exposure to IR workflows; experience coordinating with SOC operations. Bachelor's