Job Title:  T&T | Cyber: D&R | Incident Response | Deputy Manager | Delhi

The Team

Deloitte helps organizations prevent cyberattacks and protect valuable assets. We believe in being secure, vigilant, and resilient—not only by looking at     how to prevent and respond to attacks, but at how to manage cyber risk in a way that allows you to unleash new opportunities. Embed cyber risk at the start of strategy development for more effective management of information and technology risks. Learn more about  Cybersecurity

Your work profile

• Conduct compromise assessments to identify adversary access, persistence, lateral movement, privilege escalation, and identity abuse across enterprise environments.
• Perform host, network, cloud, and identity forensic triage including evidence collection, artefact review, timeline reconstruction, and case documentation.
• Lead evidence acquisition activities across disk, memory, endpoint, cloud, and enterprise-wide sources while maintaining evidence handling discipline.
• Use and operationalize tools such as Velociraptor, KAPE, Eric Zimmerman tools, Timesketch, Plaso, Volatility, Wireshark, Zeek, YARA, and Sigma where applicable.
• Investigate persistence mechanisms, suspicious authentication flows, Kerberos misuse, delegation abuse, AD trust relationships, and hybrid identity artefacts.
• Perform malware triage and malware analysis to determine behavior, persistence, likely impact, and defensive recommendations.
• Support Active Directory and identity compromise assessments using tools and techniques such as BloodHound, PingCastle, Purple Knight, PowerView, LDAP, trusts analysis, and AD CS review.
• Build and improve IR lab and response engineering capability including forensic workstations, secure investigation environments, telemetry integrations, automation scripts, and validation environments.
• Develop automation using Python, PowerShell, Bash, APIs, parsers, dashboards, and enrichment workflows to support compromise assessment and DFIR activities.
• Translate forensic findings into ATT&CK mapping, control validation, rule improvement opportunities, BAS scenarios, and purple-team style outputs where relevant.
• Support security architecture and enterprise hardening discussions focused on identity security, telemetry quality, logging coverage, and investigation readiness.

Key Skills Required

• Overall experience of at least 6+ years in cyber security with strong hands-on exposure to compromise assessment, DFIR, incident investigations, and response engineering.
• Demonstrated experience with evidence collection, forensic triage, timeline building, persistence analysis, lateral movement review, and identity compromise assessment.\
• Strong knowledge of Windows forensics, endpoint artefacts, event logs, registry, process lineage, scheduled tasks, services, startup persistence, and memory analysis concepts.
• Strong experience with Active Directory and identity investigations including Kerberos, delegation, trusts, LDAP, Entra ID, ADFS, hybrid identity logs, AD CS, and privileged relationship analysis.
• Experience using SIEM, EDR, network telemetry, cloud logs, and identity logs with the ability to investigate beyond dashboards and alerts.
• Strong troubleshooting and engineering capability using Python, PowerShell, Bash, APIs, platform integrations, telemetry onboarding, and investigation infrastructure setup.
• Experience in malware triage, YARA, memory forensics exposure, detection content alignment, or reverse engineering support is strongly preferred.
• Ability to produce structured forensic summaries, methodology write-ups, assessment reports, executive-ready findings, and technical remediation recommendations.
• Bachelor’s / Master’s Degree
• Certifications like GCFA, GNFA, GREM, CHFI, GCFR, GCIH, ECIH, CRTP, CRTE, SC-300, AZ-500, or equivalent are preferred.