Senior Incident Response Analyst

About us Coalition is the world's first Active Insurance provider designed to help prevent digital risk before it strikes. Founded in 2017, Coalition combines comprehensive insurance coverage and innovative cybersecurity tools to help businesses manage and mitigate potential cyberattacks. Opportunities to make an impact with bold thinking are real—and happening daily at Coalition. About the role Coalition Incident Response (CIR) Australia is hiring a Senior Incident Response Analyst to lead high-impact digital forensics and incident response investigations for our insureds. You will guide organisations through business email compromise, ransomware, data theft, and other cyber incidents, from initial scoping through recovery and reporting. In this role, you will partner closely with the local IR Lead, external breach counsel, Coalition Claims, MDR, and our security engineering teams to help organisations navigate some of their worst days with confidence and clarity. Responsibilities Lead end-to-end incident response engagements, from intake and scoping through evidence collection, analysis, containment, remediation guidance, and closure. Perform digital forensics across endpoints, email platforms, networks, websites, and cloud services to reconstruct attacker activity and determine scope and impact. Investigate Microsoft 365 and other cloud environments for account compromise, data access, mail flow abuse, and configuration weaknesses. Produce clear, defensible forensic reports and executive-ready summaries that describe what happened, how it happened, and what to do next. Facilitate client and counsel calls, including findings briefings, remediation recommendations, and post-incident lessons-learned discussions. Contribute to Australia-specific IR processes, playbooks, and active services (such as tabletop exercises), and participate in our global follow-the-sun coverage model. Skills and Qualifications Substantial hands-on DFIR experience, including leading complex investigations as the primary analyst and client point of contact. Strong technical foundation in Windows and Linux forensics, including acquisition, timeline analysis, and investigation of common attacker techniques (macOS experience a plus). Proven experience with Microsoft 365 email and cloud forensics, including mailbox and audit log review, OAuth and mailbox rule abuse, and common phishing/BEC scenarios. Ability to investigate web and application compromises, with particular familiarity with WordPress or similar CMS platforms. Experience working with network, perimeter, and authentication logs, as well as EDR and related security tooling, to identify and track malicious activity. Excellent written and verbal communication skills, with a track record of translating complex technical findings into clear guidance for non-technical stakeholders, including executives and legal counsel. Comfort operating in a fast-paced environment with multiple concurrent cases, balancing urgency with thoughtful, high-quality analysis and documentation. Familiarity with Australian privacy and regulatory requirements, and how they influence breach assessment, notification, and documentation in incident response, is strongly preferred. Programming or scripting experience (e.g., Python, PowerShell) to automate analysis, evidence collection, or reporting is a plus. Bonus Points Experience handling incidents in an insurance, MSSP, or DFIR consulting context, particularly in the Australian market. Prior experience working in a globally distributed or follow-the-sun IR team. Exposure to forensics and log analysis in AWS, Google Cloud, and other major SaaS platforms. Experience designing or delivering proactive IR offerings such as tabletop exercises, readiness assessments, or playbook development. Demonstrated contributions to improving DFIR processes, tooling, or automation within a prior team. Perks 100% medical coverage, including outpatient and emergency c ... (truncated, view full listing at source)