Manager, Digital Forensics & Incident Response, Cyber & Data Resilience 

In a world of disruption and increasingly complex business challenges, our professionals bring truth into focus with the Kroll Lens. Our sharp analytical skills, paired with the latest technology, allow us to give our clients clarity—not just answers—in all areas of business. We embrace diverse backgrounds and global perspectives, and we cultivate diversity by respecting, including, and valuing one another. As part of One team, One Kroll, you’ll contribute to a supportive and collaborative work environment that empowers you to excel.

Kroll’s Cyber & Data Resilience team is seeking a Digital Forensics & Incident Response (DFIR) Consultant to support organizations through high‑impact cyber incidents, investigations, and crisis events. This role is ideal for a practitioner with solid hands‑on DFIR experience who is ready to take greater ownership of investigations, work directly with clients and legal counsel, and contribute to complex, fast‑moving response engagements. You will work as part of a global DFIR team responding to incidents such as ransomware, business email compromise, insider threats, data breaches, and advanced intrusions—helping clients contain threats, understand impact, and recover with confidence.

Key Responsibilities:

• Lead and support digital forensics and incident response investigations across Windows, macOS, Linux, cloud, SaaS, and identity environments 

• Perform acquisition and analysis across endpoints, servers, cloud, SaaS, identity, and network telemetry while maintaining defensible chain‑of‑custody

• Identify attacker tradecraft, determine root cause, assess scope and data‑at‑risk, and support threat actor eviction

• Communicate effectively with all project stakeholders, including clients, outside counsel, insurers and internal teams.

• Support containment, eradication, and recovery activities in coordination with client security teams and restoration partners 

Required Experience & Skills:

• 3–5 years of hands‑on experience in digital forensics, incident response, or security operations

• Experience working across modern environments (EDR/XDR, SIEM, cloud, SaaS, identity platforms)

• Possess excellent project management skills, with ability to communicate complex technical findings clearly to non‑technical stakeholders

• Comfortable working under pressure during live incidents, including occasional after‑hours response

Nice to have:

• Industry certifications such as GCFA, GCFE, GCIH, or similar

• Experience delivering incident readiness services, such as compromise assessments, IRP/playbook development, tabletops, and cyber range activities

• Exposure to expert witness support or litigation‑related investigations

#LI-TM1

#LI-Remote