We are seeking an experienced cyber-investigations practitioner to join our client in Sydney at Director level. The successful candidate will lead delivery on breach-response and digital-forensics workstreams under Partner-led incident command, operate as a senior delivery practitioner alongside Partners during live incident windows, and build the named-account and law-firm-partner relationships that underpin future origination at Senior Director and Partner level. Specific qualifications, regulatory fluency and tooling are detailed in the sections that follow.

Confidential Client. Applying to this position means that you are interested to have an initial confidential discussion about how we can help you to identify and join a new cyber and digital forensic investigations practice. With your authorisation we will exclusively run the entire application and recruitment process for you, keeping you apprised at every step. With over 30 years' combined experience of helping the most talented cyber-investigations practitioners to make safe exits to launch rewarding new careers, we have the experience, network and ability to help you.

Key Responsibilities:

• Lead delivery on breach-response engagement workstreams - often with Australia-NZ-PNG-APAC overlay - in support of Partner-led incident command on technical strategy, evidentiary discipline and stakeholder communication, while building the named-account and law-firm-partner networks that underpin future personal origination at Senior Director and Partner level.
• Lead delivery on host, network, cloud and memory forensics workstreams on enterprise-scale investigations: dead-box and live imaging, EDR-driven hunt, SIEM and log-aggregation reconstruction across M365 / Google Workspace tenants, AWS / Azure / GCP audit trails, identity-provider logs (Entra ID, Okta) and network-flow data, with chain-of-custody discipline.
• Triage initial malware indicators using industry-standard tools, contribute to command-and-control reconstruction and threat-actor-attribution work, and hand deep reverse-engineering off to specialist analysts where the matter requires it; integrate threat intelligence (such as Mandiant Advantage, MISP or Recorded Future) into the engagement narrative under Partner-led positioning.
• Support Partner-led ransomware-response engagements covering threat-actor negotiation oversight, payment-decision support under sanctions advisory, decryptor and backup-recovery validation, and post-incident hardening.
• Engage with breach coaches and Australian regulators under Partner direction on disclosure-and-notification timing during live incident windows.
• Build emerging client relationships and contribute to named-account development at General Counsel, CISO, Chief Risk Officer and Chief Compliance Officer level, and at relevant law firm partner level - under Partner direction.
• Mentor and advocate for managers and senior managers - supporting their delivery on forensic technical depth, championing their development needs at engagement-staffing rounds, and sponsoring their upskilling on emerging methodology and AI tooling - and apply industry-standard DFIR tooling at investigation depth in support of evidentiary outcomes.
• Stay current with the threat-actor frontier, ransomware-as-a-service evolution and AI-assisted attack and defence patterns relevant to the engagements you deliver.

Required Qualifications and Skills:

• Recognised incident-response and / or digital-forensics credential, such as GCFA (GIAC Certified Forensic Analyst), GCFE (GIAC Certified Forensic Examiner), GREM (GIAC Reverse-Engineering Malware), GNFA (GIAC Network Forensic Analyst), GCIH (GIAC Certified Incident Handler), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CHFI (Computer Hacking Forensic Investigator) or EnCE (EnCase Certified Examiner).
• At least 8 years of relevant experience in cyber investigations, incident response or digital forensics, with substantive direct exposure to APRA-regulated, critical-infrastructure, government-sector or technology-sector matters.
• Demonstrable track record of leading delivery on breach-response engagements - including ransomware, BEC, advanced-persistent-threat and insider-threat fact patterns - in support of Partner-led incident command, with strong technical and client-facing presence.
• Direct experience working with senior client stakeholders (General Counsel, CISO, Chief Risk Officer, Chief Compliance Officer), breach coaches and Australian regulators (APRA, OAIC, ACSC, ASD, AUSTRAC).
• Working knowledge of the Australian cyber-incident framework: APRA prudential standards on information security and operational risk, the Security of Critical Infrastructure (SOCI) Act 2018 and 2022 amendments including critical-infrastructure-asset class obligations and Australian Government Information Security Manual touchpoints, the Cyber Security Act 2024 and Cyber Incident Review Board, the Privacy Act 1988 Notifiable Data Breach scheme, and ACSC critical-infrastructure reporting obligations.
• Working knowledge of NIST 800-61 (Incident Response) and the MITRE ATT&CK framework, with adjacent fluency on NIST 800-86 (Integrating Forensic Techniques), the ASD / ACSC Essential Eight maturity model and the SANS DFIR methodology.
• Familiarity with industry-standard DFIR tooling, including SIEM platforms (such as Splunk, Microsoft Sentinel, QRadar or Elastic), EDR (such as CrowdStrike Falcon, SentinelOne, Carbon Black or Microsoft Defender), forensic-imaging and analysis tools (such as EnCase, Magnet Axiom, X-Ways or FTK), memory-analysis tools (such as Volatility or Rekall), network-forensics tools (such as Wireshark, Zeek or Arkime), and reverse-engineering tools (such as IDA Pro, Ghidra or x64dbg).
• High-agency operating style with strong judgement under live-incident time pressure and the methodological discipline to ensure decisions are evidence-based, defensible and documentable for regulator and litigation review.
• Calm, credible communication style suited to bridging technical depth and senior-stakeholder reporting during live incident windows.

Preferred Experience:

• Multiple stacking credentials at this level - the recognised pattern on multi-vector incidents.
• Offensive-security credentials (such as OSCP, CRTO or CRTP) for practitioners whose work crosses into red-team and adversary-emulation engagements.
• Australian Government security clearance (NV1 or above) for practitioners engaging on government and defence sector matters.
• Postgraduate study in computer science, information security, digital forensics or a related discipline.
• Cross-border breach-response experience across Australia / NZ / PNG and the broader APAC region.
• Track record of converting one-off breach-response engagements into multi-year incident-response retainer or managed-detection-and-response work.
• Established or emerging relationships with law firm partners in cyber and data-breach practice, regulatory enforcement, white-collar crime, internal-investigations and class-action / privacy-litigation practices who instruct cyber-investigations work.
• Continuous-learning posture and active engagement with the AI developments reshaping cyber and digital forensic investigations: candidates who track tooling shifts (such as AI-assisted DFIR via CrowdStrike Charlotte AI or Microsoft Sentinel Copilot, prompt-injection defence, AI-system-compromise investigations, or LLM-aided malware-analysis triage under APRA CPS 234 / SOCI Act expectations), share that knowledge with managers and senior managers, and have a track record of supporting team upskilling on emerging methodologies.

Compensation:

Competitive package commensurate with seniority and experience, including base, performance-based bonus, long-term incentives and (where applicable) partner-track participation.

Next Steps:

This opportunity is open to Australian citizens, permanent residents and qualified candidates with relevant Australian work-rights status who match the above criteria. Please apply to receive prompt contact from an experienced and specialist cyber and digital forensic investigations recruitment consultant.

Search & Counsel is a trading style of Feltan Associates Pte Ltd; an international Executive Search, Recruitment and Consulting business based in Singapore, licensed and regulated by the Singapore Ministry of Manpower to conduct recruitment services for clients. UEN: 202225620G. EA Licence 23S1672. All rights reserved.