Senior Incident Responder, Philippines

About Blackpanda

Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack.

Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert. Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.

How We Work

Blackpanda is a tech‑enabled services team. We invest heavily in AI and are constantly pushing to do better, faster, and at scale. You are given freedom to use the approved tools in the team, but you are to take ownership of outcomes. We prefer smart work over hard work, welcome good ideas regardless of where they come from, and have deliberately kept red tape out of the way of innovation. If you want to join a team building the best response practice in Asia — and shaping the tools and methods that get us there — you'll be in good company.

A Note on Levelling

This posting reflects a single role title; however, we hire across a range of seniority levels from this brief. The final title, whether DFIR Analyst, DFIR Specialist, or an adjacent level, will be determined by the depth and breadth of cybersecurity and incident response capabilities demonstrated throughout the interview process. If your experience sits near the edge of these levels, we encourage you to apply regardless.

Your Mission: Senior Incident Responder

As a Senior Incident Responder, you will lead engagements end‑to‑end — scoping new incidents, running the response, and seeing each case through to a defensible outcome for the client. You will typically carry multiple matters at a time (of standard complexity), guide junior responders through the work, and act as the senior technical voice in the room with clients.

This is a hands‑on leadership role. You are expected to deliver excellent work yourself, raise the level of work around you, and contribute back into the tools, playbooks, and processes that make the practice better over time. We want senior responders who think like operators and engineers — people who push the craft forward, not just keep the lights on.

Core Responsibilities

• Lead live incident response engagements end‑to‑end — scoping, containment, evidence acquisition, forensic analysis, and final reporting — across BEC, ransomware/DFIR, data breach, compromise assessment, insider, and digital forensics cases.
• Run the technical investigation across Windows, Linux, macOS, and cloud environments, making the call on direction and standing behind the quality of findings.
• Carry multiple concurrent engagements of standard complexity, balancing competing priorities and keeping each case moving without dropping quality.
• Own the integrity of the work on every engagement you lead — chain of custody, evidence handling, deliverable quality, and the client experience throughout.

Scoping & Client Advisory

• Scope new incident response cases directly with clients — translating an ambiguous, high‑pressure situation into a clear plan of action, deliverables, and commercial terms.
• Act as the senior technical point of contact for the client throughout the engagement, communicating findings, risk, and next steps with clarity and authority.
• Provide advisory input on remediation, recovery, and hardening, and recognise when to bring in additional capability — legal, insurance, or specialist services — to serve the client properly.

Mentorship & Team Leadership

• Guide junior responders through live engagements — assigning work, reviewing output, and coaching them on tradecraft, client posture, and judgement.
• Share what you know — through writeups, internal training, walkthroughs, and on‑the‑job mentoring — so the team gets stronger case over case.
• Lead delivery through others when the situation calls for it: scoping the work, dividing tasks, holding the line on quality, and stepping in technically where it matters most.

Building Tools & Processes

• Contribute to the continuous improvement of Blackpanda's playbooks, tooling, automation, and methodology — flag what is slow, brittle, or repeatable, and help fix it.
• Bring lessons from real engagements back into the practice so each case sharpens the next.
• Adopt AI and automation aggressively where they raise the floor or the ceiling of the work — we prefer smart work over hard work.

Minimum Requirements

• 3+ years of professional cybersecurity experience, including hands‑on incident response delivered in a client‑facing role.
• Demonstrated ability to lead investigations end‑to‑end across common case types (e.g. BEC, ransomware/DFIR, data breach, compromise assessment, insider, digital forensics).
• Strong technical depth across Windows, Linux, and macOS, and working comfort with at least one major cloud provider.
• Scripting ability in Python, Bash, or PowerShell — strong enough to build collection, parsing, or automation tooling without supervision.
• Clear written and verbal English; able to author client deliverables, run client meetings, and represent Blackpanda in high‑stakes situations.
• Sound judgement under ambiguity — comfortable making technical and commercial calls in fast‑moving, incomplete‑information situations.
• Calm under pressure, with the professional posture expected of a senior client‑facing operator.

Preferred Qualifications

• Relevant certifications such as GCIH, GCFA, GREM, GNFA, GCFR, CISSP, OSCP, or equivalent.
• Deep hands‑on experience with EDR, SIEM, and forensic tooling in real‑world engagements.
• Track record of mentoring or training junior responders, formally or informally.
• Contribution to tooling, automation, or methodology improvements at a previous firm — open‑source or internal.
• Additional languages relevant to the regions Blackpanda serves.

How You'll Grow

You will own real engagements from day one, with the autonomy to make calls and a senior team around you to lean on. There is a clear path into leading more complex cases, technical specialisation, and broader team leadership for those who want it.

You'll join a diverse team of teammates from around the world, where who you are, the quality of your work, and your character are what matter. Trying and failing is ok. Failing to try is not.

Why This Role

If you've built real incident response chops on the front line and you're ready to lead the work — scoping cases, running them through to completion, and bringing junior responders up with you — this is the seat. We're looking for senior responders who want to shape how the work gets done, not just execute someone else's playbook.