Incident Response Engineer

Available Location: Singapore
Team Mission
The Security Response Team's mission is to systematically respond to security threats safeguarding Cloudflare. We operate 24/7 across the globe to respond to security incidents, continuously improve our response capabilities, lead digital investigations and enhance our overall security posture. Our "Cloudflare on Cloudflare", data and automation first philosophy makes us a cohesive team with high impact.
The Role
This intermediate role on the Security Response Team focuses on refining security processes and leading critical incidents-from threat detection and cyber-attack analysis to containment and forensics. This role collaborates with IT, Engineering, Product, and Legal teams to build scalable response frameworks, leveraging expertise in tooling, automation, custom log analysis, and SIEM systems. Additionally, it requires effective communication of technical topics based on business requirements and participation in a shared on-call rotation with rotating weekend and holiday shifts.
Responsibilities
Security Operations

• Oversee security event triage, validation, and response workflows, ensuring timely investigation of high-priority alerts and security anomalies.
• Collaborate with detection engineers and threat intelligence teams to refine investigative signals and improve security visibility.
• Maintain incident management processes, ensuring incidents are properly categorized, documented, and escalated as needed.
• Perform continuous operational improvements, such as tuning detection rules, optimizing log ingestion, and enhancing alert enrichment pipelines.
• Conduct security gap analysis, identifying weaknesses in monitoring coverage and recommending solutions to enhance detection and response capabilities.
• Work closely with engineering and infrastructure teams to improve log collection, normalization, and visibility across diverse environments.
• Ensure adherence to incident response playbooks, compliance standards, and security best practices (e.g., CISA, GDPR, NIST, ISO 27001).

Incident Investigation & Threat Hunting

• Lead/Co-Lead forensic investigations into intrusions, insider threats, APTs, and account compromises.
• Perform log analysis, correlation, and anomaly detection across endpoint, network, and cloud telemetry.
• Use Python, SQL, and data engineering techniques to extract insights from large-scale logs, identifying attacker TTPs and movement across environments.
• Investigate real-time security incidents, working closely with detection teams to validate alerts and escalate threats.
• Conduct post-incident analysis to determine root causes, document findings, and recommend mitigation strategies.

Security Monitoring & Continuous Threat Analysis

• Oversee security monitoring operations, ensuring alert triage, enrichment, and validation align with investigative workflows.
• Optimize SIEM queries, log ingestion pipelines, and case management systems to improve threat visibility.
• Develop playbooks and workflows to streamline investigations and reduce manual effort in repetitive tasks.
• Maintain Standard Operating Procedures (SOPs) for effective response to security alerts and ongoing monitoring.
• Collaborate with the Detection Engineering team to refine detection rules and investigative signals based on real-world attack patterns.

Security Engineering & Automation for Investigations

• Provide requirements for automated solutions to enhance investigation efficiency, such as log parsing scripts, data enrichment tools, and case correlation frameworks.
• Use log analysis pipelines for efficient parsing, enrichment, and correlation of multi-source security data.
• Review and comprehend custom detection logic for brute-force attempts, lateral movement, and anomaly-based intrusion detection.

Forensic Analysis & Threat Intelligence Correlation

• Perform disk, memory, and network forensics to uncover hidden indicators of compromise (IOCs) and attacker behaviors.
• Correlate multi-source logs (firewall, EDR, web, authentication logs, cloud telemetry) to reconstruct attack chains and identify attacker footholds.
• Analyze network traffic (PCAP, NetFlow, proxy logs) to detect exfiltration attempts, lateral movement, and suspicious patterns.
• Use threat intelligence APIs (e.g., VirusTotal, AbuseIPDB) to enrich investigations and automate IOC processing.

Must-Have Qualifications

• 1+ years of experience in incident response, security operations, and forensic analysis
• Willingness to lead crisis situations, make data-driven security decisions, and drive technical and operational improvements.
• Knowledge of incident management, root cause analysis, and forensic investigation methodologies.
• Hands-on experience with SIEM (SQL, ELK, etc), SOAR, and EDR (CrowdStrike,) for real-time security monitoring and response.
• Understanding of OKR methodologies, Agile workflows, and project prioritization strategies.
• Understanding of threat intelligence, attacker tactics (MITRE ATT&CK), and real-world attack chains.

Nice-to-Have Qualifications

• Experience in security operations, ensuring effective escalation, resolution, and business alignment.
• Certifications: GCFA, GNFA, GREM, GCIH, or equivalent forensic/security certifications.
• Familiarity with SOAR platforms and security case management automation.
• Experience in Red Teaming, Threat Intelligence, or Malware Analysis.
• Understanding of cloud-native security monitoring (AWS, GCP, Azure).
• Knowledge of cloud security (AWS, GCP, Azure) and containerized workloads (Kubernetes, Docker) security incident handling.