We are seeking a senior Cyber and Digital Forensic Investigations practitioner to join our client in Sydney at Senior Director level. The ideal candidate will hold senior incident-response and digital-forensics credentials with at least 10 years of relevant experience, the most recent 3+ years at Director or equivalent senior-leadership level, and a track record of incident-command on bet-the-company breaches admissible in APRA / OAIC / ACSC regulator review and class-action proceedings. The successful candidate will lead the most complex multi-jurisdictional cyber investigations, define the practice's incident-command doctrine and signed-off declaration practice, carry a meaningful named-account pipeline across the Australian and Trans-Tasman breach-coach and cyber-litigation bar, and contribute to the practice's strategy as an emerging Partner-track operator.

Confidential Client. Applying to this position means that you are interested to have an initial confidential discussion about how we can help you to identify and join a new cyber and digital forensic investigations practice. With your authorisation we will exclusively run the entire application and recruitment process for you, keeping you apprised at every step. With over 30 years' combined experience of helping the most talented cyber-investigations practitioners to make safe exits to launch rewarding new careers, we have the experience, network and ability to help you.

Key Responsibilities:

• Lead high-stakes breach-response engagements, typically running AUD 1m - 6m, often with Australia-NZ-PNG-APAC overlay, with full responsibility for incident-command, technical strategy, evidentiary discipline and stakeholder communication on bet-the-company cyber matters.
• Define the practice's incident-command doctrine on ransomware, BEC, advanced-persistent-threat, insider-threat, supply-chain, cloud-account-takeover and nation-state intrusion fact patterns; set the bar for what is - and is not - defensible against APRA, OAIC, ACSC and class-action review.
• Lead the most complex host, network, cloud and memory forensics on enterprise-scale investigations, including identity-provider compromise (Entra ID, Okta), Kubernetes / container-runtime intrusion, OT-and-IT convergence incidents (notably under the SOCI Act CII-asset framework), AI-system compromise, and ephemeral-messaging-platform-mediated insider threat.
• Take signed-off positions on threat-actor attribution, root-cause findings and lessons-learned reports at instructing-counsel and regulator level; engage on disclosure-and-notification timing under APRA prudential standards on information security and operational risk, the SOCI Act 2018 (and 2022 amendments), the Cyber Security Act 2024 and Cyber Incident Review Board, the Privacy Act 1988 NDB scheme, and ACSC critical-infrastructure reporting obligations.
• Direct ransomware-response engagements on the most complex matters, including multi-stage extortion, exfiltration-only and double-extortion patterns, with sanctions-screening governance under OFAC, AUSTRAC, and the Cyber Security Act 2024 ransomware-payment-reporting framework.
• Develop and own a sustained pipeline of named accounts at General Counsel, CISO, Chief Risk Officer and Chief Compliance Officer level, and at relevant law firm partner level; originate or co-originate AUD 1.5m+ annually in qualified cyber-investigations opportunities.
• Convert reactive case work into multi-year retainer engagements covering incident-response retainer, managed-detection-and-response (MDR), threat-hunting, tabletop-exercise programmes, CISO-advisory work, and SOCI-Act / APRA-CPS compliance-advisory work.
• Set methodology and tooling-strategy direction within the cyber-investigations sub-practice; define the framework on AI-assisted DFIR governance; directly supervise, mentor and advocate for Directors and Senior Managers - championing their advancement at promotion rounds, sponsoring sustained upskilling on emerging methodology and AI tooling, and shaping their external profile-building on incident-command depth.

Required Qualifications and Skills:

• Multiple senior incident-response and / or digital-forensics credentials, such as GCFA plus GREM plus CISSP, or GNFA plus GCIH plus CISM - typically multiple at this level.
• At least 10 years of relevant experience in cyber investigations, incident response or digital forensics, with the most recent 3+ years at Director or equivalent senior-leadership level.
• Demonstrable track record of leading bet-the-company cyber-investigations matters with full incident-command and client-facing responsibility, including signed-off threat-actor-attribution and root-cause findings under APRA / OAIC / ACSC regulator review and class-action proceedings.
• Direct experience operating with General Counsel, CISOs, Chief Risk Officers and Chief Compliance Officers, breach coaches at law-firm partner level and Australian regulators (APRA, OAIC, ACSC, ASD, AUSTRAC).
• Working knowledge at supervisory-policy depth of the Australian cyber-incident framework: APRA prudential standards on information security and operational risk, the Security of Critical Infrastructure (SOCI) Act 2018 and 2022 amendments including critical-infrastructure-asset class obligations and Australian Government Information Security Manual touchpoints, the Cyber Security Act 2024 and Cyber Incident Review Board, the Privacy Act 1988 NDB scheme at post-2024 Optus / Medibank enforcement-pattern depth, and ACSC critical-infrastructure reporting obligations.
• Authority on NIST 800-61, NIST 800-86, the MITRE ATT&CK framework, MITRE D3FEND, the SANS DFIR methodology, the Cyber Kill Chain, the FOR578 / FOR508 incident-response curriculum and the ASD / ACSC Essential Eight maturity model.
• Familiarity with industry-standard DFIR tooling, including SIEM platforms (such as Splunk, Microsoft Sentinel, QRadar or Elastic), EDR (such as CrowdStrike Falcon, SentinelOne, Carbon Black or Microsoft Defender), forensic-imaging and analysis tools (such as EnCase, Magnet Axiom, X-Ways or FTK), memory-analysis tools (such as Volatility or Rekall), network-forensics tools (such as Wireshark, Zeek or Arkime), and reverse-engineering tools (such as IDA Pro, Ghidra or x64dbg).
• Demonstrable history of converting cyber-investigations engagement relationships into multi-year incident-response retainer, managed-detection-and-response or CISO-advisory work.
• Established relationships with law firm partners in cyber and data-breach practice, regulatory enforcement, white-collar crime, internal-investigations and class-action / privacy-litigation practices who refer and instruct cyber-investigations work; sustained named-account level engagement is the strongest evidence.
• High-agency operating style, calm and credible under live-incident and adversarial-challenge pressure, with the methodological discipline to ensure findings are evidence-based, structured and defensible.

Preferred Experience:

• Stacking credentials including offensive-security qualifications (such as OSCP, CRTO or CRTP) and reverse-engineering depth (GREM).
• Australian Government security clearance (NV1 or above) for practitioners engaging on government and defence sector matters.
• Postgraduate qualification: Master's in computer science, information security, digital forensics, MBA, or LLM with cyber-law / privacy / regulatory relevance.
• Cross-border breach-response experience across Australia / NZ / PNG and the broader APAC region.
• Published authorship on incident-response, threat-hunting, ransomware-response or attribution themes; conference-level speaking on cyber investigations.
• Track record of testifying or signed-off declaration on cyber-investigations issues in Australian-court, arbitration or APRA / OAIC regulator proceedings.
• Tabletop-exercise design and CISO-advisory programme delivery at audit-committee level.
• Growth-mindset operating posture and visible engagement with the AI developments reshaping cyber and digital forensic investigations: candidates who track tooling shifts (such as AI-assisted DFIR via CrowdStrike Charlotte AI or Microsoft Sentinel Copilot, prompt-injection defence, AI-system-compromise investigations, or LLM-aided malware-analysis triage under APRA CPS 234 / SOCI Act expectations), share that knowledge with the Director and Manager bench under their supervision, and have a track record of building team-upskilling programmes on emerging methodologies.

Compensation:

Competitive package commensurate with seniority and experience, including base, performance-based bonus, long-term incentives and (where applicable) partner-track equity participation.

Next Steps:

This opportunity is open to Australian citizens, permanent residents and qualified candidates with relevant Australian work-rights status who match the above criteria. Please apply to receive prompt contact from an experienced and specialist cyber and digital forensic investigations recruitment consultant.

Search & Counsel is a trading style of Feltan Associates Pte Ltd; an international Executive Search, Recruitment and Consulting business based in Singapore, licensed and regulated by the Singapore Ministry of Manpower to conduct recruitment services for clients. UEN: 202225620G. EA Licence 23S1672. All rights reserved.