Incident Response Engineer

Role Summary
Team Mission
The Security Response Team's mission is to systematically respond to security threats safeguarding Cloudflare. We operate 24/7 across the globe to respond to security incidents, continuously improve our response capabilities, lead digital investigations and enhance our overall security posture. Our "Cloudflare on Cloudflare", data and automation first philosophy makes us a cohesive team with high impact.
The Role
This intermediate role on the Security Response Team focuses on refining security processes and leading critical incidents-from threat detection and cyber-attack analysis to containment and forensics. This role collaborates with IT, Engineering, Product, and Legal teams to build scalable response frameworks, leveraging expertise in tooling, automation, custom log analysis, and SIEM systems. Additionally, it requires effective communication of technical topics based on business requirements and participation in a shared on-call rotation with rotating weekend and holiday shifts.
Responsibilities
Security Operations

• Oversee security event triage, validation, and response workflows, ensuring timely investigation of high-priority alerts and security anomalies.
• Collaborate with detection engineers and threat intelligence teams to refine investigative signals and improve security visibility.
• Maintain incident management processes, ensuring incidents are properly categorized, documented, and escalated as needed.
• Perform continuous operational improvements, such as tuning detection rules, optimizing log ingestion, and enhancing alert enrichment pipelines.
• Conduct security gap analysis, identifying weaknesses in monitoring coverage and recommending solutions to enhance detection and response capabilities.
• Work closely with engineering and infrastructure teams to improve log collection, normalization, and visibility across diverse environments.
• Ensure adherence to incident response playbooks, compliance standards, and security best practices (e.g., CISA, GDPR, NIST, ISO 27001).

Incident Investigation & Threat Hunting

• Lead forensic investigations into intrusions, insider threats, APTs, and account compromises.
• Perform log analysis, correlation, and anomaly detection across endpoint, network, and cloud telemetry.
• Use Python, SQL, and data engineering techniques to extract insights from large-scale logs, identifying attacker TTPs and movement across environments.
• Investigate real-time security incidents, working closely with detection teams to validate alerts and escalate threats.
• Conduct post-incident analysis to determine root causes, document findings, and recommend mitigation strategies.

Security Monitoring & Continuous Threat Analysis

• Oversee security monitoring operations, ensuring alert triage, enrichment, and validation align with investigative workflows.
• Optimize SIEM queries, log ingestion pipelines, and case management systems to improve threat visibility.
• Develop playbooks and workflows to streamline investigations and reduce manual effort in repetitive tasks.
• Maintain Standard Operating Procedures (SOPs) for effective response to security alerts and ongoing monitoring.
• Collaborate with the Detection Engineering team to refine detection rules and investigative signals based on real-world attack patterns.

Security Engineering & Automation for Investigations

• Engineer automated solutions to enhance investigation efficiency, such as log parsing scripts, data enrichment tools, and case correlation frameworks.
• Build log analysis pipelines for efficient parsing, enrichment, and correlation of multi-source security data.
• Develop custom detection logic for brute-force attempts, lateral movement, and anomaly-based intrusion detection.
• Automate threat intelligence enrichment, real-time event processing, and security data visualization.
• Engineer scalable solutions for PCAP analysis, network flow monitoring, and cloud security event detection.

Forensic Analysis & Threat Intelligence Correlation

• Perform disk, memory, and network forensics to uncover hidden indicators of compromise (IOCs) and attacker behaviors.
• Correlate multi-source logs (firewall, EDR, web, authentication logs, cloud telemetry) to reconstruct attack chains and identify attacker footholds.
• Analyze network traffic (PCAP, NetFlow, proxy logs) to detect exfiltration attempts, lateral movement, and suspicious patterns.
• Use threat intelligence APIs (e.g., VirusTotal, AbuseIPDB) to enrich investigations and automate IOC processing.

Must-Have Qualifications

• 7+ years of experience in incident response, security operations, and forensic analysis, with 5+ years leading teams.
• Proven ability to lead crisis situations, make data-driven security decisions, and drive technical and operational improvements.
• Strong expertise in incident management, root cause analysis, and forensic investigation methodologies.
• Hands-on experience with SIEM (SQL, ELK, etc), SOAR, and EDR (CrowdStrike,) for real-time security monitoring and response.
• Expertise in cloud security (AWS, GCP, Azure) and containerized workloads (Kubernetes, Docker) security incident handling.
• Experience managing large-scale security incidents, ensuring effective escalation, resolution, and business alignment.
• Proficiency in OKR methodologies, Agile workflows, and project prioritization strategies.
• Strong understanding of threat intelligence, attacker tactics (MITRE ATT&CK), and real-world attack chains.

Nice-to-Have Qualifications

• Certifications: GCFA, GNFA, GREM, GCIH, or equivalent forensic/security certifications.
• Familiarity with SOAR platforms and security case management automation.
• Experience in Red Teaming, Threat Intelligence, or Malware Analysis.
• Understanding of cloud-native security monitoring (AWS, GCP, Azure).
• Compensation
  Compensation may be adjusted depending on work location.
  
  • For Texas based hires: Estimated annual salary of $115,000-$141,000.

  
  This role is eligible to earn incentive compensation under Cloudflare's Sales Compensation Plan. The estimated annual salary range includes the on-target incentive compensation that may be attained in this role under the Sales Compensation Plan.
  Equity
  This role is eligible to participate in Cloudflare's equity plan.
  Benefits
  Cloudflare offers a complete package of benefits and programs to support you and your family. Our benefits programs can help you pay health care expenses, support caregiving, build capital for the future and make life a little easier and fun! The below is a description of our benefits for employees in the United States, and benefits may vary for employees based outside the U.S.
  Health & Welfare Benefits
  

  • Medical/Rx Insurance
  • Dental Insurance
  • Vision Insurance
  • Flexible Spending Accounts
  • Commuter Spending Accounts
  • Fertility & Family Forming Benefits
  • On-demand mental health support and Employee Assistance Program
  • Global Travel Medical Insurance

  
  Financial Benefits
  

  • Short and Long Term Disability Insurance
  • Life & Accident Insurance
  • 401(k) Retirement Savings Plan
  • Employee Stock Participation Plan

  
  Time Off
  

  • Flexible paid time off covering vacation and sick leave
  • Leave programs, including parental, pregnancy health, medical, and bereavement leave