We are seeking a senior Cyber and Digital Forensic Investigations practitioner to join our client in Hong Kong at Senior Director level. The ideal candidate will hold senior incident-response and digital-forensics credentials with at least 10 years of relevant experience, the most recent 3+ years at Director or equivalent senior-leadership level, a track record of incident-command on bet-the-company breaches admissible in regulator and litigation review, and the bilingual capability to operate at evidentiary standards across HK-Mainland-cross-border fact patterns. The successful candidate will lead the most complex multi-jurisdictional cyber investigations, define the practice's incident-command doctrine and signed-off declaration practice on bilingual evidence populations, carry a meaningful named-account pipeline across the Hong Kong and Greater China breach-coach and cyber-litigation bar, and contribute to the practice's strategy as an emerging Partner-track operator.

Confidential Client. Applying to this position means that you are interested to have an initial confidential discussion about how we can help you to identify and join a new cyber and digital forensic investigations practice. With your authorisation we will exclusively run the entire application and recruitment process for you, keeping you apprised at every step. With over 30 years' combined experience of helping the most talented cyber-investigations practitioners to make safe exits to launch rewarding new careers, we have the experience, network and ability to help you.

Key Responsibilities:

• Lead high-stakes breach-response engagements, typically running USD 750k - 4m, frequently with HK-Mainland-Singapore-elsewhere-APAC overlay, with full responsibility for incident-command, technical strategy, evidentiary discipline and stakeholder communication on bet-the-company cyber matters.
• Define the practice's incident-command doctrine on ransomware, BEC, advanced-persistent-threat, insider-threat, supply-chain, cloud-account-takeover and nation-state intrusion fact patterns; set the bar for what is - and is not - defensible against regulator and class-action review in HK and PRC settings.
• Lead the most complex host, network, cloud and memory forensics on enterprise-scale investigations, including identity-provider compromise (Entra ID, Okta), Kubernetes / container-runtime intrusion, OT-and-IT convergence incidents, AI-system compromise, and ephemeral-messaging-platform-mediated insider threat - across hyperscaler and PRC-cloud (Alibaba Cloud, Tencent Cloud) workloads.
• Take signed-off positions on threat-actor attribution (with particular attention to Greater China-aligned actor groups), root-cause findings and lessons-learned reports at instructing-counsel and regulator level; engage on disclosure-and-notification timing under HKMA Supervisory Policy Manual on operational resilience, SFC Code of Conduct, the HK Cyber Security Bill 2024 (effective 2026, CII operators), and PDPO section 33 cross-border-transfer obligations.
• Direct ransomware-response engagements on the most complex matters, including multi-stage extortion, exfiltration-only and double-extortion patterns, with sanctions-screening governance under OFAC, HK sanctions and the 2024 HK National Security Law overlay where applicable.
• Develop and own a sustained pipeline of named accounts at General Counsel, CISO, Chief Risk Officer and Chief Compliance Officer level, and at relevant law firm partner level in Hong Kong and Greater China; originate or co-originate USD 1.5m+ annually in qualified cyber-investigations opportunities.
• Convert reactive case work into multi-year retainer engagements covering incident-response retainer, managed-detection-and-response (MDR), threat-hunting, tabletop-exercise programmes and CISO-advisory work, particularly where PIPL / CSL / DSL data-export risk shapes design.
• Set methodology and tooling-strategy direction within the cyber-investigations sub-practice; define the framework on bilingual AI-assisted DFIR governance; directly supervise, mentor and advocate for Directors and Senior Managers - championing their advancement at promotion rounds, sponsoring sustained bilingual upskilling on emerging methodology and AI tooling, and shaping their external profile-building on incident-command depth.

Required Qualifications and Skills:

• Multiple senior incident-response and / or digital-forensics credentials, such as GCFA plus GREM plus CISSP, or GNFA plus GCIH plus CISM - typically multiple at this level.
• At least 10 years of relevant experience in cyber investigations, incident response or digital forensics, with the most recent 3+ years at Director or equivalent senior-leadership level.
• Mandarin and Cantonese working fluency at depth sufficient to lead bilingual incident-command, custodian engagement and threat-actor-communication programmes.
• Demonstrable track record of leading bet-the-company cyber-investigations matters with full incident-command and client-facing responsibility, including signed-off threat-actor-attribution and root-cause findings under regulator and litigation review on bilingual evidence populations.
• Direct experience operating with General Counsel, CISOs, Chief Risk Officers and Chief Compliance Officers, breach coaches at law-firm partner level (HK and PRC) and Hong Kong regulators (HKMA, SFC, OGCIO, PCPD).
• Working knowledge at supervisory-policy depth of the Hong Kong cyber-incident framework: the Hong Kong Cyber Security Bill 2024 (effective 2026, CII operators), HKMA Supervisory Policy Manual on operational resilience on Operational Resilience, SFC Code of Conduct cyber-resilience expectations, PDPO data-breach notification framework and 2022 PCPD guidance, and the 2024 Mainland Judicial Mutual Assistance arrangements including PIPL / CSL / DSL data-export and review-jurisdiction implications during live incident windows.
• Authority on NIST 800-61, NIST 800-86, the MITRE ATT&CK framework, MITRE D3FEND, the SANS DFIR methodology, the Cyber Kill Chain and the FOR578 / FOR508 incident-response curriculum.
• Familiarity with industry-standard DFIR tooling, including SIEM platforms (such as Splunk, Microsoft Sentinel, QRadar or Elastic), EDR (such as CrowdStrike Falcon, SentinelOne, Carbon Black or Microsoft Defender), forensic-imaging and analysis tools (such as EnCase, Magnet Axiom, X-Ways or FTK), memory-analysis tools (such as Volatility or Rekall), network-forensics tools (such as Wireshark, Zeek or Arkime), and reverse-engineering tools (such as IDA Pro, Ghidra or x64dbg).
• Demonstrable history of converting cyber-investigations engagement relationships into multi-year incident-response retainer, managed-detection-and-response or CISO-advisory work.
• Established relationships with law firm partners in cyber and data-breach practice, regulatory enforcement, white-collar crime, internal-investigations and class-action / privacy-litigation practices who refer and instruct cyber-investigations work; sustained named-account level engagement is the strongest evidence.
• High-agency operating style, calm and credible under live-incident and adversarial-challenge pressure in bilingual settings, with the methodological discipline to ensure findings are evidence-based, structured and defensible.

Preferred Experience:

• Stacking credentials including offensive-security qualifications (such as OSCP, CRTO or CRTP) and reverse-engineering depth (GREM).
• Experience of cross-border PRC-HK incidents under the 2024 Mainland Judicial Mutual Assistance arrangements.
• Postgraduate qualification: Master's in computer science, information security, digital forensics, MBA, or LLM with cyber-law / privacy / regulatory relevance.
• Cross-border breach-response experience across Greater China and South-East Asia.
• Published authorship on incident-response, threat-hunting, ransomware-response or attribution themes in HK / PRC publications; conference-level speaking on cyber investigations in bilingual settings.
• Track record of testifying or signed-off declaration on cyber-investigations issues in arbitration, court or regulator proceedings.
• Tabletop-exercise design and CISO-advisory programme delivery at audit-committee level.
• Growth-mindset operating posture and visible engagement with the AI developments reshaping cyber and digital forensic investigations: candidates who track tooling shifts (such as AI-assisted DFIR via CrowdStrike Charlotte AI or Microsoft Sentinel Copilot, prompt-injection defence in bilingual settings, AI-system-compromise investigations across HK / PRC / hyperscaler workloads, or LLM-aided malware-analysis triage), share that knowledge with the Director and Manager bench under their supervision, and have a track record of building team-upskilling programmes on emerging methodologies.

Compensation:

Competitive package commensurate with seniority and experience, including base, performance-based bonus, long-term incentives and (where applicable) partner-track equity participation.

Next Steps:

This opportunity is open to Hong Kong permanent residents and qualified candidates with relevant Hong Kong work-rights status who match the above criteria. Please apply to receive prompt contact from an experienced and specialist cyber and digital forensic investigations recruitment consultant.

Search & Counsel is a trading style of Feltan Associates Pte Ltd; an international Executive Search, Recruitment and Consulting business based in Singapore, licensed and regulated by the Singapore Ministry of Manpower to conduct recruitment services for clients. UEN: 202225620G. EA Licence 23S1672. All rights reserved.