Specialist – DFIR(Digital Forensics Incident Response)

We're the team that keeps airports moving, airlines flying smoothly, and borders open. Our tech and communication innovations are the secret behind the success of the world's air travel industry.

You'll find us at 95% of international hubs. We partner closely with over 2,500 transportation and government clients, each with their own unique needs and challenges. Our goal is to find fresh solutions and cutting-edge tech to make their operations run like clockwork. Want to be a part of something big?

Are you ready to love your job? The adventure begins right here, with you, at SITA.

As the DFIR Lead, you will own high-severity investigations end-to-end—rapidly detecting, containing, and eradicating threats—while leading digital forensics and proactive threat hunting. You will serve as Incident Commander and a technical escalation point for complex cases.

You'll join SITA's STORM (Security Threat & Operational Risk Management) organization and work closely with the SOC, CTI, Cloud/Platform, Product, and customer-facing teams to uplift detection and response maturity across SITA, our customers, and the wider air-transport ecosystem.

At SITA, we achieve more, together.

Incident Response & Coordination

• Response to high/critical incidents; drive containment, eradication, recovery, and post-incident hardening.

• Coordinate SOC, CTI, IT, cloud, product, and business stakeholders to resolution as Incident Commander.

• Produce clear reports, timelines, and executive readouts; track lessons learned and corrective actions.

• Monitor evolving TTPs and update playbooks, detections, and response patterns.

Digital Forensics & Evidence Handling

• Perform forensically sound acquisition and analysis across endpoints, servers, cloud, network, and SaaS.

• Maintain strict chain-of-custody and document procedures to industry standards.

• Reconstruct attacker activity (lateral movement, persistence, staging/exfiltration) and map to MITRE ATT&CK.

Threat Hunting & Detection Engineering

• Conduct hypothesis-driven hunts across EDR, SIEM, cloud, and network telemetry.

• Translate findings into high-fidelity detections, analytics, and SOAR automations; reduce MTTD/MTTR.

• Validate and tune rules to minimize false positives and maximize coverage of priority TTPs.

Triage, Monitoring & Quality Assurance

• Oversee L1/L2 triage quality; calibrate severity, escalation paths, and playbook execution.

• Perform spot checks on tooling outputs; refine thresholds/use cases and improve SOC runbooks, dashboards, and KPIs.

Tooling, Automation & Telemetry

•  Build/integrate scripts and tools to accelerate evidence collection, enrichment, and response.

• Partner with platform owners to harden logging, telemetry, and retention required for DFIR at scale.

Working model: participation in an on-call rotation for major incidents; occasional travel to customer or SITA sites.

Must-Have

• Minimum 3 years of proven track record leading incident response and digital forensics in complex, hybrid (on-prem/cloud) environments.
• Hands-on with EDR (e.g., CrowdStrike), SIEM (e.g., Splunk, Microsoft Sentinel, Elastic), and SOAR.
• Scripting for DFIR/automation (Python and/or PowerShell); familiarity with KQL and detection content authoring.
• Deep knowledge of attacker tradecraft and the MITRE ATT&CK framework.
• Excellent written and verbal communication—able to brief executives and guide technical teams.

Nice-to-Have

• Certifications: GCFA, GNFA, GCIH, GREM, OSCP, CISSP (or equivalent experience).
• Cloud DFIR expertise (Azure/AWS/GCP) and identity-centric investigations (Entra ID/Okta).
• Exposure to OT/airport systems and constraints in air-transport environments

• At least 3 years experience in deployment or support of application software implementing systems and modules with experience in multiple full lifecycle implementations.
• University degree or equivalent  
• Where applicable a recognised professional qualification is desirable

We're all about diversity. We operate in 200 countries and speak 60 different languages and cultures. We're really proud of our inclusive environment. Our offices are comfortable and fun places to work, and we make sure you get to work from home too. Find out what it's like to join our team and take a step closer to your best life ever.

Flex Week: Work from home up to 2 days/week (depending on your team's needs)

Flex Day: Make your workday suit your life and plans.

Flex-Location: Take up to 30 days a year to work from any location in the world.

Employee Wellbeing: We have got you covered with our Employee Assistance Program (EAP), for you and your dependents 24/7, 365 days/year. We also offer Champion Health - a personalized platform that supports a range of wellbeing needs.

Professional Development: Level up your skills with our training platforms, including LinkedIn Learning

Competitive Benefits: Competitive benefits that make sense with both your local market and employment status.

SITA is an Equal Opportunity Employer. We value a diverse workforce. In support of our Employment Equity Program, we encourage women, aboriginal people, members of visible minorities, and/or persons with disabilities to apply and self-identify in the application process.