Lead Cyber Detect and Respond Analyst Location: National* Closing Date: 5 th September Interviews: W/C 15 th September (subject to change) Grade: SEO (MoJ candidates who are on a specialist grade, will be able to retain this grade on lateral transfer) Salary: National: 42,914 - 51,675 which may include an allowance up to 8761. London: 49,325 - 56,050 which may include an allowance up to 6725. Working pattern : Full time, part time, flexible working, job share. Contract Type: Permanent. *We offer a hybrid working model, allowing for a balance between remote work and time spent in your local office. Office locations can be found ON THIS MAP The Role We re recruiting for a Lead Cyber Detect and Respond Analyst here at Justice Digital, to be part of our warm and collaborative Digital Infrastructure and Security Operations Team (DISO) team. This role aligns against Monitoring Lead from the Government Security Profession Framework. The Lead Cyber Detect and Respond Analyst will lead the proactive monitoring, analysis, and response to security events and incidents, ensuring the effective detection and mitigation of cyber threats to the Ministry of Justice (MoJ). This role is responsible for conducting advanced triage, managing incident response activities, and performing in-depth threat hunting and digital forensic investigations. The lead analyst develops and refines detection and response procedures, mentors junior team members, and provides expert guidance during high-severity incidents. Operating with a high degree of independence and technical authority, this role plays a critical part in strengthening the MoJ s cyber resilience and advancing the maturity of SOC operations. To help picture your life at MoJ Justice Digital please take a look at our blog and our Digital and Technology strategy 2025 Key Responsibilities: Deputises for the Principal Cyber Detect and Respond Analyst when required, providing leadership, and continuity of operations in their absence. Supports decision-making, coordinates team activities, and ensures the effective delivery of cyber protection initiatives. Independently investigates complex cases involving cyber security incidents - such as suspected data breaches, intellectual property theft, insider threat investigations, fraud and abuse, asset misuse, and violations of MoJ / Civil Service Security policy incorporating the use of advanced threat hunting and digital forensic techniques. Responsible for the preservation and acquisition of data, ensuring adherence to industry best practices and evidentiary standards. Utilises specialist forensic tools and techniques to retrieve data directly or remotely, while maintaining the integrity and chain of custody of all collected evidence. Conducts in-depth analysis of files, data elements, and memory contents to uncover evidence of malicious or unauthorised activity. Conducts proactive threat hunting activities to identify indicators of compromise (IOCs), uncover hidden threats, and support the early detection of malicious activity across the MOJ s digital environment. Contributes to the development and continuous improvement of incident response capabilities, including detailed policies, procedures, and playbooks. Plays a key role in analysing, responding to, and escalating cyber security incidents, where major security breaches are identified. Ensuring that lessons learned inform future response and operational resilience. Supports strong working relationships with stakeholders, management, and infrastructure support teams across the MoJ, ensuring effective collaboration and communication. During a cyber security incident assists users in accessing, viewing, and processing data in accordance with agreed access controls and security policies, promoting responsible data handling and compliance. Line Management/People Management responsibilities. There will be an On-Call rota 18:00 to 08:00 Monday to Friday plus weekends and public holidays. Additional allowances are available for on-call staff. If this feels like an exciting challenge, something you are enthusiastic about, and want to join our team please read on and apply! Benefits 37 hours per week and flexible working options including working from home, working part-time, job sharing, or working compressed hours. A 1k per person learning budget is in place to support all our people, with access to best in class conferences and seminars, accreditation with professional bodies, fully funded vocational programmes and e-learning platforms Staff have 10% time to dedicate to develop & grow Generous civil service pension based on defined benefit scheme, with employer contributions of 28.97% from April 1st 2024 ( Contribution Rates ) 25 days leave (plus bank holidays) and 1 privilege day usually taken around the King s birthday. 5 additional days of leave once you have reached 5 years of service. Compassionate maternity, adoption, and shared parental leave policies, with up to 26 weeks leave at full pay, 13 weeks with partial pay, and 13 weeks further leave. And maternity support/paternity leave at full pay for 2 weeks, too! Wellbeing support including access to the Calm app. Nurturing professional and interpersonal networks including those for Carers & Childcare, Gender Equality, PROUD and SPIRIT Bike loans up to 2500 and secure bike parking (subject to availability and location) Season ticket loans, childcare vouchers and eye-care vouchers. 5 days volunteering paid leave. Some offices may have a subsidised onsite Gym. Person Specification Essential Significant experience in a cyber threat detection and response role, with demonstrable leadership responsibilities. Holds current, relevant professional certifications in Security Operations or Information Security (e.g., CompTIA CySA, CISSP, GCIH, GCIA, SSCP). Working understanding of cybersecurity operations, threat detection methodologies, and incident response frameworks (e.g., NIST, MITRE ATT&CK). Proven ability to lead and coordinate incident response efforts, including triage, containment, eradication, and recovery. Strong experience in analysing and correlating logs and alerts across multiple platforms (e.g., SIEM, XDR/EDR, cloud, network). Excellent analytical and critical thinking skills, with the ability to make sound decisions under pressure. Strong communication skills, capable of producing high-quality incident reports and presenting findings to technical and non-technical stakeholders. Experience mentoring junior analysts and contributing to the development of SOC processes, playbooks, and detection rules. Demonstrated ability to work collaboratively across teams and with external partners to drive incident resolution and continuous improvement. Willingness to be assessed against the requirements for SC clearance. We welcome the unique contribution diverse applicants bring and do not discriminate based on culture, ethnicity, race, nationality or national origin, age, sex, gender identity or expression, religion or belief, disability status, sexual orientation, educational or social background or any other factor. Our values are Purpose, Humanity Openness and Together. Find out more here about how we celebrate diversity and an inclusive culture in our workplace. The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan and the Civil Service D&I Strategy. How to Apply Candidates must submit a CV and statement of suitability (of no more than 750 words), which describes how you meet the requirements set out in the Person Specification above. Applicants who do not submit both a CV and a separate statement of suitability will be rejected. Application Guidance Please access the following link for guidance on how to apply and how to complete a Personal Statement Application Guidance In Justice Digital, we recruit using a combination of the Government Digital and Data Profession Capability, Success Profiles and Government Security Profession frameworks. We will assess your Experience, Technical Skills and the following Behaviours during the assessment process: Leadership Seeing the Bigger Picture Communicating and Influencing A diverse panel will review your application against the Person Specification above. Successful candidates who meet the required standard will then be invited to a 1-hour panel interview held via video conference. Should we receive a high volume of applications, a pre-sift based on the following criteria will be conducted before the sift - Significant experience in a cyber threat detection and response role, with demonstrable leadership responsibilities. Holds current, relevant professional certifications in Security Operations or Information Security (e.g., CompTIA CySA, CISSP, GCIH, GCIA, SSCP). Strong communication skills, capable of producing high-quality incident reports and presenting findings to technical and non-technical stakeholders. Should you be unsuccessful in the role that you have applied for but demonstrate the capability for a role at a lower level, we reserve the right to discuss this opportunity with you and offer you the position without needing a further application. A reserve list may be held for up to 12 months, from which further appointments may be made. Use of Artificial Intelligence Artificial Intelligence can be a useful tool to support your application. However, all examples and statements provided must be truthful, factually accurate, and based on your own experience. Where plagiarism is identifiedsuch as presenting the ideas and experiences of others, or AI-generated content, as your ownapplications may be withdrawn. Internal candidates may also be subject to disciplinary action. Please see our candidate guidance for more information on appropriate and inappropriate use. Terms & Conditions Please review our Terms and Conditions which set out how we recruit and provide further information related to the role and salary arrangements. If you have any questions, please feel free to contact digitalanddatarecruitment@justice.gov.uk