Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions. Applicants must have at least one full year (52 weeks) of specialized experience, which is in or directly related to the line of work of this position. Specialized experience is demonstrated experience in ALL of the following: Development experience to include proficiency in 1 or more of the following: .NET, PowerShell, C# or Python. Comprehensive understanding of adversarial techniques, with the capability to technically diagram and articulate the stages of an intrusion. SME-level experience examining enterprise audit logs including Windows Event Log and Sysmon in Windows environments, and auditd in Linux environments. Knowledge of forensic methodologies and the processes involved in collecting, preserving, and analyzing digital evidence to accurately reconstruct events and support incident response efforts. Experience in analyzing sophisticated attacker techniques that exploit email and cloud services as attack vectors. Desired, but Not Required: GIAC Certified Incident Handler (GCIH) GIAC Certified Forensic Analyst (GCFA) GIAC Certified Forensic Examiner (GCFE) GIAC Cloud Incident Response (GCIR) Certified Information Systems Security Professional (CISSP)