We are seeking an experienced cyber-investigations practitioner to join our client in Singapore at Director level. The successful candidate will lead delivery on breach-response and digital-forensics workstreams under Partner-led incident command, operate as a senior delivery practitioner alongside Partners during live incident windows, and build the named-account and law-firm-partner relationships that underpin future origination at Senior Director and Partner level. Specific qualifications, regulatory fluency and tooling are detailed in the sections that follow.

Confidential Client. Applying to this position means that you are interested to have an initial confidential discussion about how we can help you to identify and join a new cyber and digital forensic investigations practice. With your authorisation we will exclusively run the entire application and recruitment process for you, keeping you apprised at every step. With over 30 years' combined experience of helping the most talented cyber-investigations practitioners to make safe exits to launch rewarding new careers, we have the experience, network and ability to help you.

Key Responsibilities:

• Lead delivery on breach-response engagements across the NIST 800-61 lifecycle: preparation, detection, containment, eradication, recovery and lessons-learned - in support of Partner-led incident command on technical strategy, evidentiary discipline and stakeholder communication - while building the named-account and law-firm-partner networks that underpin future personal origination at Senior Director and Partner level.
• Lead delivery on host, network, cloud and memory forensics workstreams on enterprise-scale investigations: dead-box and live imaging, EDR-driven hunt, SIEM and log-aggregation reconstruction across M365 / Google Workspace tenants, AWS / Azure / GCP audit trails, identity-provider logs (Entra ID, Okta) and network-flow data; deliver chain-of-custody discipline aligned with ISO 27037 and NIST SP 800-86.
• Triage initial malware indicators using industry-standard tools, contribute to command-and-control reconstruction and threat-actor-attribution work, and hand deep reverse-engineering off to specialist analysts where the matter requires it; integrate threat intelligence (such as Mandiant Advantage, MISP or Recorded Future) into the engagement narrative under Partner-led positioning.
• Support Partner-led ransomware-response engagements covering threat-actor negotiation oversight, payment-decision support under OFAC and Singapore TSOFA / sanctions advisory, decryptor and backup-recovery validation, and post-incident hardening.
• Engage with breach coaches and CSA / IMDA / MAS regulators under Partner direction on disclosure-and-notification timing under MAS cyber-incident-notification obligations, the Cybersecurity Act 2018, IMDA Critical Information Infrastructure Code, and PDPA data-breach notification obligations.
• Build emerging client relationships and contribute to named-account development at General Counsel, CISO, Chief Risk Officer and Chief Compliance Officer level, and at relevant law firm partner level - under Partner direction.
• Mentor and advocate for managers and senior managers - supporting their delivery on forensic technical depth, championing their development needs at engagement-staffing rounds, and sponsoring their upskilling on emerging methodology and AI tooling - and apply industry-standard DFIR tooling at investigation depth in support of evidentiary outcomes.
• Stay current with the threat-actor frontier, ransomware-as-a-service evolution, AI-assisted attack and defence patterns, and emerging Singapore CII-operator obligations under the 2024 Cybersecurity (Amendment) Act.

Required Qualifications and Skills:

• Recognised incident-response and / or digital-forensics credential, such as GCFA (GIAC Certified Forensic Analyst), GCFE (GIAC Certified Forensic Examiner), GREM (GIAC Reverse-Engineering Malware), GNFA (GIAC Network Forensic Analyst), GCIH (GIAC Certified Incident Handler), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CHFI (Computer Hacking Forensic Investigator) or EnCE (EnCase Certified Examiner).
• At least 8 years of relevant experience in cyber investigations, incident response or digital forensics, with substantive direct exposure to financial-services, technology, critical-infrastructure or government-sector matters.
• Demonstrable track record of leading delivery on breach-response engagements - including ransomware, BEC, advanced-persistent-threat and insider-threat fact patterns - in support of Partner-led incident command, with strong technical and client-facing presence.
• Direct experience working with senior client stakeholders (General Counsel, CISO, Chief Risk Officer, Chief Compliance Officer), breach coaches and Singapore regulators (CSA, IMDA, MAS, PDPC).
• Working knowledge of the Singapore cyber-incident framework: the Cybersecurity Act 2018 and 2024 (Amendment) Act, IMDA Cybersecurity Code of Practice for Critical Information Infrastructure, MAS Technology Risk Management Guidelines and MAS cyber-incident-notification obligations, PDPA data-breach notification framework and Personal Data Protection Commission enforcement-decision pattern at post-2024 depth, and Singapore Police Cybercrime Branch referral pathways.
• Working knowledge of NIST 800-61 (Incident Response), NIST 800-86 (Integrating Forensic Techniques), the MITRE ATT&CK framework and the SANS DFIR methodology.
• Familiarity with industry-standard DFIR tooling, including SIEM platforms (such as Splunk, Microsoft Sentinel, QRadar or Elastic), EDR (such as CrowdStrike Falcon, SentinelOne, Carbon Black or Microsoft Defender), forensic-imaging and analysis tools (such as EnCase, Magnet Axiom, X-Ways or FTK), memory-analysis tools (such as Volatility or Rekall), network-forensics tools (such as Wireshark, Zeek or Arkime), and reverse-engineering tools (such as IDA Pro, Ghidra or x64dbg).
• High-agency operating style with strong judgement under live-incident time pressure and the methodological discipline to ensure decisions are evidence-based, defensible and documentable for regulator and litigation review.
• Calm, credible communication style suited to bridging technical depth and senior-stakeholder reporting during live incident windows.

Preferred Experience:

• Multiple stacking credentials at this level - the recognised pattern at this level on multi-vector incidents.
• Offensive-security credentials (such as OSCP, CRTO or CRTP) for practitioners whose work crosses into red-team and adversary-emulation engagements.
• Postgraduate study in computer science, information security, digital forensics or a related discipline.
• Multilingual capability (Mandarin, Bahasa, Hokkien) for regional witness, custodian and threat-actor-communication contexts.
• Cross-border breach-response experience across Southeast Asia, Greater China, India and South Asia, including PDPA-equivalent data-breach notification compliance.
• Track record of converting one-off breach-response engagements into multi-year incident-response retainer or managed-detection-and-response work.
• Established or emerging relationships with law firm partners in cyber and data-breach practice, regulatory enforcement, white-collar crime, internal-investigations and class-action / privacy-litigation practices who instruct cyber-investigations work.
• Continuous-learning posture and active engagement with the AI developments reshaping cyber and digital forensic investigations: candidates who track tooling shifts (such as AI-assisted DFIR via CrowdStrike Charlotte AI or Microsoft Sentinel Copilot, prompt-injection defence, AI-system-compromise investigations, or LLM-aided malware-analysis triage), share that knowledge with managers and senior managers, and have a track record of supporting team upskilling on emerging methodologies.

Compensation:

Competitive package commensurate with seniority and experience, including base, performance-based bonus, long-term incentives and (where applicable) partner-track participation.

Next Steps:

This opportunity is open to Singaporeans, Singapore permanent residents, and qualified candidates with relevant work-rights status who match the above criteria. Please apply to receive prompt contact from an experienced and specialist cyber and digital forensic investigations recruitment consultant.

Search & Counsel is a trading style of Feltan Associates Pte Ltd; an international Executive Search, Recruitment and Consulting business based in Singapore, licensed and regulated by the Singapore Ministry of Manpower to conduct recruitment services for clients. UEN: 202225620G. EA Licence 23S1672. All rights reserved.