Incident Response and Digital Forensics Expert

Job Description Summary

As part of the Sandoz Security Operations Center, the Incident Response and Digital Forensics Expert delivers fast, structured responses to cybersecurity events while working closely with SOC, SecOps leadership, and key internal stakeholders.

This role focuses on triage, containment, and remediation of incidents, using industry‑leading tools to conduct evidence acquisition and forensic analysis across endpoints, servers, cloud environments, and network data. The mission is to uphold world‑class incident response capabilities, provide defensible forensic findings, and support decision‑making during Major Incident Management (MIM) calls.

This role works cross‑functionally to strengthen Sandoz’s global security posture and safeguard the organisation from evolving cyber threats.

Job Description

Sandoz continues to go through an exciting and transformative period as a global leader and pioneering provider of sustainable Biosimilar and Generic medicines. As we continue down this new and ambitious path, unique opportunities will present themselves, both professionally and personally. Join us, the future is ours to shape!

Job Summary

As part of the Sandoz Security Operations Center, the Incident Response and Digital Forensics Expert delivers fast, structured responses to cybersecurity events while working closely with SOC, SecOps leadership, and key internal stakeholders.

This role focuses on triage, containment, and remediation of incidents, using industry‑leading tools to conduct evidence acquisition and forensic analysis across endpoints, servers, cloud environments, and network data. The mission is to uphold world‑class incident response capabilities, provide defensible forensic findings, and support decision‑making during Major Incident Management (MIM) calls.

This role works cross‑functionally to strengthen Sandoz’s global security posture and safeguard the organisation from evolving cyber threats.

Your Key Responsibilities

Incident Response – 70%

• Oversee security operations and ensure stable, compliant, and secure service   Own incident handling for low‑to‑high complexity events: validate alerts, determine scope, prioritize actions, and coordinate response across SOC/SecOps and third-party vendors.
• Run containment and remediation steps from approved playbooks (isolate hosts, revoke tokens, block IOCs, quarantine mail, reset credentials, collect live data).
• Keep an accurate incident timeline and evidence record; update tickets and communicate status to stakeholders using established templates and escalation paths.
• Join war-rooms and MIM calls, present technical findings clearly, and help drive decisions under pressure.
• Execute practical evidence collection and analysis across endpoints, servers, cloud services and network sources when required; preserve confidentiality and follow Legal/HR processes for sensitive cases.
• Improve playbooks, detection coverage and automations (KQL, PowerShell, Python) to reduce manual work and speed response.
• Participate in tabletop exercises, purple‑team activities and runbook validation to keep the team ready.
• Produce defensible management/C-level reports documenting relevant incidents with focus on RCA identification and recommendations.

Digital Forensics & Investigation (30%)

• Analyze artifacts and logs (host timelines, process trees, authentication events and network flows) to determine scope, impact and likely entry vectors. Conduct basic malware triage and escalate advanced cases to SOC LT.
• Perform live response and forensics evidence acquisition across various systems preserving integrity and confidentiality and adhering to applicable legal and regulatory requirements for sensitive cases.
• Deliver concise, technical evidence and reports that document methods, tools and results for internal review, incident reports and/or continuous improvement.
• Maintain and improve the forensic toolkit and standard operating procedures.
• Ensure evidence handling and retention meet approved standards and regulatory requirements; surface process or tooling gaps for review.

Technical Skills

• Strong understanding of network protocols, security controls, and threat intelligence (TTPs, IOCs/IOAs, MITRE ATT&CK).
• Proficiency with SIEM, SOAR, and EDR platforms; practical experience with Microsoft Defender for Endpoint/XDR (alert triage, KQL hunting, timelines, live response, remediation).
• Hands‑on forensic evidence acquisition using tools such as THOR, KAPE, Sleuth Kit, Velociraptor, etc.
• Experience with cloud incident response and identity‑centric attacks (Azure AD, M365, AWS/GCP).
• Ability to perform basic malware triage; familiarity with reverse‑engineering tools is a plus.
• Scripting/automation in Python and PowerShell; strong Windows/macOS troubleshooting (Linux is a plus).

Minimum Requirements

What you’ll bring to the role:

• 3–5 years of experience in Security Operations, with hands‑on exposure to IR workflows; experience coordinating with SOC operations.
• Bachelor’s or Master’s degree in Cybersecurity, Computer Science, or equivalent practical experience
• Certifications preferred eCIR/eCTHP, BTL1/BTL2, OSCP/eCPPT/PNPT, GIAC(GCFA/GCFE/GCIH) are highly regarded.
• Microsoft security certifications such as SC‑200, AZ‑500/SC‑300 are a plus.

Why Sandoz?

Generic and Biosimilar medicines are the backbone of the global medicines industry. Sandoz, a leader in this sector, provided more than 900 million patient treatments across 100+ countries in 2024 and while we are proud of this achievement, we have an ambition to do more!

With investments in new development capabilities, production sites, new acquisitions, and partnerships, we have the opportunity to shape the future of Sandoz and help more patients gain access to low-cost, high-quality medicines, sustainably.

Our momentum is powered by an open, collaborative culture driven by our talented and ambitious colleagues, who, in return for applying their skills experience an agile and collegiate environment with impactful, flexible-hybrid careers, where diversity is welcomed and where personal growth is supported!

Join us!

#Sandoz

Skills Desired

Information Security Risk Management, ITIL, Quality Management, Root Cause Analysis (RCA), Sec Ops (Security Operations), Vendor Management

Global leader in generic and biosimilar medicines, operating as an independent company spun off from Novartis. Based in Basel.

sandoz.com