We are seeking an experienced cyber-investigations practitioner to join our client in Hong Kong at Director level. The successful candidate will lead delivery on breach-response and digital-forensics workstreams under Partner-led incident command, operate as a senior delivery practitioner alongside Partners during live incident windows, and build the named-account and law-firm-partner relationships that underpin future origination at Senior Director and Partner level. Specific qualifications, regulatory fluency and tooling are detailed in the sections that follow.

Confidential Client. Applying to this position means that you are interested to have an initial confidential discussion about how we can help you to identify and join a new cyber and digital forensic investigations practice. With your authorisation we will exclusively run the entire application and recruitment process for you, keeping you apprised at every step. With over 30 years' combined experience of helping the most talented cyber-investigations practitioners to make safe exits to launch rewarding new careers, we have the experience, network and ability to help you.

Key Responsibilities:

• Lead delivery on breach-response engagements across the NIST 800-61 lifecycle: preparation, detection, containment, eradication, recovery and lessons-learned - often with HK-Mainland-Singapore-elsewhere-APAC overlay - in support of Partner-led incident command on technical strategy, evidentiary discipline and stakeholder communication, while building the named-account and law-firm-partner networks that underpin future personal origination at Senior Director and Partner level.
• Lead delivery on host, network, cloud and memory forensics workstreams on enterprise-scale investigations: dead-box and live imaging, EDR-driven hunt, SIEM and log-aggregation reconstruction across M365 / Google Workspace tenants, AWS / Azure / GCP / Alibaba Cloud / Tencent Cloud audit trails, identity-provider logs (Entra ID, Okta) and network-flow data; deliver chain-of-custody discipline aligned with ISO 27037 and NIST SP 800-86.
• Triage initial malware indicators using industry-standard tools, contribute to command-and-control reconstruction and threat-actor-attribution work, and hand deep reverse-engineering off to specialist analysts where the matter requires it; integrate threat intelligence on PRC-aligned and ASEAN-aligned actor groups (such as APT41, Lazarus or Mustang Panda patterns) into the engagement narrative under Partner-led positioning.
• Support Partner-led ransomware-response engagements covering threat-actor negotiation oversight, payment-decision support under OFAC and HK sanctions advisory, decryptor and backup-recovery validation, and post-incident hardening.
• Engage with breach coaches (HK and PRC) and HKMA / SFC / OGCIO / PCPD regulators under Partner direction on disclosure-and-notification timing under HKMA Supervisory Policy Manual on operational resilience (operational resilience), SFC Code of Conduct cyber-resilience expectations, the Hong Kong Cyber Security Bill 2024 (effective 2026, CII operators), and PDPO data-breach notification obligations and 2022 PCPD guidance.
• Build emerging client relationships and contribute to named-account development at General Counsel, CISO, Chief Risk Officer and Chief Compliance Officer level, and at relevant law firm partner level in Hong Kong and Greater China - under Partner direction.
• Mentor and advocate for managers and senior managers - supporting their delivery on forensic technical depth, championing their development needs at engagement-staffing rounds, and sponsoring their bilingual upskilling on emerging methodology and AI tooling - and apply industry-standard DFIR tooling at investigation depth in support of evidentiary outcomes, particularly on bilingual evidence populations.
• Stay current with the threat-actor frontier (with particular attention to Greater China-aligned actor groups and PRC-data-export and CSL / DSL implications during live incidents), ransomware-as-a-service evolution and AI-assisted attack and defence patterns.

Required Qualifications and Skills:

• Recognised incident-response and / or digital-forensics credential, such as GCFA (GIAC Certified Forensic Analyst), GCFE (GIAC Certified Forensic Examiner), GREM (GIAC Reverse-Engineering Malware), GNFA (GIAC Network Forensic Analyst), GCIH (GIAC Certified Incident Handler), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CHFI (Computer Hacking Forensic Investigator) or EnCE (EnCase Certified Examiner).
• At least 8 years of relevant experience in cyber investigations, incident response or digital forensics, with substantive direct exposure to financial-services, technology, critical-infrastructure or government-sector matters.
• Mandarin and Cantonese working fluency. Bilingual operational capability is essential at this level for HK-Mainland-cross-border breach response, custodian engagement and threat-actor communication.
• Demonstrable track record of leading delivery on breach-response engagements - including ransomware, BEC, advanced-persistent-threat and insider-threat fact patterns - in support of Partner-led incident command, with strong technical and client-facing presence.
• Direct experience working with senior client stakeholders (General Counsel, CISO, Chief Risk Officer, Chief Compliance Officer), breach coaches (HK and PRC) and Hong Kong regulators (HKMA, SFC, OGCIO, PCPD).
• Working knowledge of the Hong Kong cyber-incident framework: the Hong Kong Cyber Security Bill 2024 (effective 2026, CII operators), HKMA Supervisory Policy Manual on operational resilience on Operational Resilience, SFC Code of Conduct cyber-resilience expectations, PDPO data-breach notification framework and 2022 PCPD guidance, and HK Police Cyber Security and Technology Crime Bureau referral pathways.
• Working knowledge of NIST 800-61 (Incident Response), NIST 800-86 (Integrating Forensic Techniques), the MITRE ATT&CK framework and the SANS DFIR methodology.
• Familiarity with industry-standard DFIR tooling, including SIEM platforms (such as Splunk, Microsoft Sentinel, QRadar or Elastic), EDR (such as CrowdStrike Falcon, SentinelOne, Carbon Black or Microsoft Defender), forensic-imaging and analysis tools (such as EnCase, Magnet Axiom, X-Ways or FTK), memory-analysis tools (such as Volatility or Rekall), network-forensics tools (such as Wireshark, Zeek or Arkime), and reverse-engineering tools (such as IDA Pro, Ghidra or x64dbg).
• High-agency operating style with strong judgement under live-incident time pressure and the methodological discipline to ensure decisions are evidence-based, defensible and documentable for regulator and litigation review.
• Calm, credible communication style suited to bridging technical depth and senior-stakeholder reporting during live incident windows in bilingual settings.

Preferred Experience:

• Multiple stacking credentials at this level - the recognised pattern at this level on multi-vector incidents.
• Offensive-security credentials (such as OSCP, CRTO or CRTP) for practitioners whose work crosses into red-team and adversary-emulation engagements.
• Experience of cross-border PRC-HK incidents under the 2024 Mainland Judicial Mutual Assistance arrangements, including PIPL / CSL / DSL data-export and review-jurisdiction implications during live incident windows.
• Postgraduate study in computer science, information security, digital forensics or a related discipline.
• Cross-border breach-response experience across Greater China and South-East Asia.
• Track record of converting one-off breach-response engagements into multi-year incident-response retainer or managed-detection-and-response work.
• Established or emerging relationships with law firm partners in cyber and data-breach practice, regulatory enforcement, white-collar crime, internal-investigations and class-action / privacy-litigation practices who instruct cyber-investigations work.
• Continuous-learning posture and active engagement with the AI developments reshaping cyber and digital forensic investigations: candidates who track tooling shifts (such as AI-assisted DFIR via CrowdStrike Charlotte AI or Microsoft Sentinel Copilot, prompt-injection defence in bilingual settings, AI-system-compromise investigations across HK / PRC / hyperscaler workloads, or LLM-aided malware-analysis triage), share that knowledge with managers and senior managers, and have a track record of supporting team upskilling on emerging methodologies.

Compensation:

Competitive package commensurate with seniority and experience, including base, performance-based bonus, long-term incentives and (where applicable) partner-track participation.

Next Steps:

This opportunity is open to Hong Kong permanent residents and qualified candidates with relevant Hong Kong work-rights status who match the above criteria. Please apply to receive prompt contact from an experienced and specialist cyber and digital forensic investigations recruitment consultant.

Search & Counsel is a trading style of Feltan Associates Pte Ltd; an international Executive Search, Recruitment and Consulting business based in Singapore, licensed and regulated by the Singapore Ministry of Manpower to conduct recruitment services for clients. UEN: 202225620G. EA Licence 23S1672. All rights reserved.