Defensive Cyber Operations Team Lead

Job Locations US-AZ-Fort Huachuca
Job Post Information* : Posted Date 5 months ago(3/18/2022 4:00 PM)
Location : Location
US-AZ-Fort Huachuca
Potential for Remote
Clearance Requirement
Top Secret/SCI
Job Requires Relocation
Job Requires Relocation


SOS International, LLC (SOSi) is currently seeking a Defensive Cyber Operations Team Lead in Fort Huachuca, AZ. The Defensive Cyber Operations Team Lead reports to the DCO Branch Manager and is responsible for leading cyber event monitoring and correlation within a tiered Security Operations Center. The DCO Team Lead is the overall Incident Handling Subject Matter Expert for incident escalation, maintains ownership of all DCO TTPs, and acts as the coordination point between the DCO mission, government task mangers, external organizations, and other RCC-C internal technical areas. The DCO Team Lead is responsible for overall technical and personnel management of the DCO mission and develops and maintains 24/7 schedules, on call roster, and recall procedures.  


  • Supervisory responsibilities to include but not limited to:
    • Reporting and timekeeping; technical/administrative training; assuring ITIL process compliance; actively communicating with the government to include utilizing MS Teams; scheduling to effectively utilize all team resources; support management decision-making; committing to quality management standards, QA/QC compliance, and metrics analysis.
    • Coordinates team schedules ensuring mission coverage.
    • Trains, mentors, coaches, and enforces the SOSi code of conduct.
    • Assures ATCTS reporting compliance and employees training and certifications are current. 
    • Recommends innovative solutions to more effectively and efficiently support work performance.
    • Provides performance feedback and appraisals for all direct reports.
    • Nominates employees for recognition and awards program.
    • Supports leadership development and succession planning program.
  • Lead initial event triage & escalation, sensor monitoring, cyber incident investigation, cyber event analysis & correlation, log analysis, and malware analysis.
  • Detect, document, and report potential or confirmed incidents and security issues.
  • Oversee 24/7 analysis of events utilizing ArcSight Security Information Event Management (SIEM) systems, Big Data Analytics (Gabriel Nimbus), and other supporting platforms or applications.
  • Conduct incident handling actions in accordance with CJCSM 6510.01b, established operational procedures, and providing recommendations in the best interest of protecting the DoDIN.
  • Coordinate and perform incident response investigations providing leadership with details to make critical security decisions.
  • Conduct quality control of incidents and investigations to maintain compliance with applicable policies.
  • Develop recommendations to enhance detection capabilities and implement mitigation measures in response to general or specific threats (attempted exploits, attacks, malware delivery, etc.).
  • Assist in designing and integrating custom rules and reports within data collection platforms.
  • Leads the integration of new technical solutions and platforms into the DoDIN-A, develops new processes, and authors new SOPs and TTPs to employ them to their full potential.
  • Prepare technical summaries and briefings.
  • Provide technical expertise regarding the defense of information systems and networks.
  • Correlate event data to create situational awareness and trend analysis reports.
  • Conduct root cause analysis to identify, diagnose, and resolve cyber security problems.
  • Develop and maintain TTPs and SOPs on Incident Handling and Incident Response.
  • Work with vendors to evaluate new products and resolve equipment design problems.
  • Provide guidance and work leadership to less-experienced cyber security analysts and other technical staff.
  • Maintain current knowledge of relevant technologies as assigned.
  • Update SmartBooks associated with current knowledge of relevant technologies as assigned.
  • Participate in special projects as required.
  • Potential to lead/manage high level administrative/technical taskings without assistance.
  • Collaborate with external agencies, LE/CI, GTMs, Branch Chiefs, Division Chiefs and RCC-C Leadership.


  • Active in scope Top Secret (TS) with eligibility for Sensitive Compartmented Information (SCI) clearance
  • HS +12 yrs similar technical experience or AA/AS +10, or BS/BA +8
  • An IAT II certification (CCNA-Security, CND, CySA+, GICSP, GSEC, Security+ CE, or SSCP) is required
  • CSSP-IR Certification
  • GIAC Certified Forensic analyst (GCIH)
  • ITIL Foundation Certification
  • Knowledgeable in the mission and operational requirements of the U.S. Army
  • Demonstrated understanding of U.S. Army IT operational and technical requirements
  • Must be willing to work overtime, after hours, holidays, and weekends, as necessary

Preferred Qualifications

  • Master’s degree in Network Management, Telecommunications, Cybersecurity, National Security Strategy, or a related field
  • ITIL v4 certification
  • PMP Certification
  • 3-5 years or more of supervisory experience.
  • Fluency in a foreign language is desirable, but not required

Working Conditions

  • Working conditions are normal for an office environment.
  • Fast paced, deadline-oriented environment.
  • May require periods of non-traditional working hours including consecutive nights or weekends (if applicable)


SOSi is an equal employment opportunity employer and affirmative action employer. All interested individuals will receive consideration and will not be discriminated against on the basis of race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity, genetic information, or protected veteran status. SOSi takes affirmative action in support of its policy to advance diversity and inclusion of individuals who are minorities, women, protected veterans, and individuals with disabilities.


Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed