

Cypress HCM
Senior Analyst, Investigations & Forensics
β - Featured Role | Apply direct with Data Freelance Hub
This role is for a Senior Analyst, Investigations & Forensics, on a contract-to-hire basis, offering competitive pay. Key skills include digital forensics, eDiscovery, and AI integration. Requires 7+ years of relevant experience and proficiency with forensic tools and methodologies. Remote work in the U.S. is required.
π - Country
United States
π± - Currency
$ USD
-
π° - Day rate
Unknown
-
ποΈ - Date
July 9, 2026
π - Duration
More than 6 months
-
ποΈ - Location
Remote
-
π - Contract
W2 Contractor
-
π - Security
Unknown
-
π - Location detailed
Folsom, CA
-
π§ - Skills detailed
#"ETL (Extract #Transform #Load)" #Python #Automation #Security #VPN (Virtual Private Network) #IP (Internet Protocol) #Cybersecurity #Azure #React #Storage #Strategy #Splunk #SAML (Security Assertion Markup Language) #Compliance #SaaS (Software as a Service) #Leadership #AI (Artificial Intelligence) #Cloud
Role description
Senior Analyst, Investigations and Forensics
Overview
β’ Investigations & Forensics | Security, Legal & Ethics Support
β’ Reports to the Manager, Investigations & Forensics
β’ Department: Cybersecurity β Investigations & Forensics
β’ Level: Individual Contributor (Senior)
β’ Employment Type: Contract-to-Hire (Full-Time)
β’ Location: Remote β United States (EST availability required)
β’ Travel: Minimal; core working hours overlap with EST timezone; occasional domestic travel for incident response and evidence collection as required
About the Team
β’ The Investigations & Forensics team is our specialized internal investigative function, operating at the intersection of cybersecurity, employment law, ethics, and regulatory compliance. The team serves as the primary technical investigative arm supporting Human Resources, Legal, and the Ethics & Compliance function, and acts as the Advanced Forensic Tier for the Security Incident Response Team (SIRT).
β’ The work handled by this team is among the most sensitive and consequential at the company. Matters can involve personnel at any level of the organization, active legal proceedings, and regulatory inquiries β all carrying significant employment, financial, and reputational risk. All work product is created under legal privilege and subject to strict confidentiality protocols.
Role Overview
β’ We are seeking a Senior Analyst, Investigations and Forensics on a contract-to-hire basis who will serve as the teamβs deep technical specialist for endpoint, cloud, and identity forensics. This individual will independently lead and execute complex investigations across insider threat, employee misconduct, IP theft, fraud, ethics breaches, and security incidents, producing legally defensible findings that can support HR actions, litigation, regulatory response, and executive decision-making. Success in this role can lead to a permanent full-time position within the team.
β’ This is not a purely reactive role. The successful candidate will contribute to proactive detection capability development, forensic tooling, and the integration of AI into investigative workflows. They will be expected to exercise strong independent judgment, communicate with precision, and maintain the highest standards of evidentiary integrity.
What You Will Do
Forensic Investigations
β’ Lead and execute end-to-end digital forensic investigations across endpoint, cloud, email, identity, and SaaS environments.
β’ Conduct deep-dive analysis for insider threat, data exfiltration, IP theft, fraud, employee misconduct, and ethics matter investigations.
β’ Support SIRT as the Advanced Forensic Tier on high-severity security incidents β establishing attribution, root cause, and precise forensic timelines.
β’ Perform forensic imaging and acquisition of endpoints and storage media in accordance with established forensic standards and chain of custody protocols, ensuring evidence integrity from collection through analysis.
β’ Conduct structured forensic analysis using industry-standard platforms including Magnet AXIOM Cyber, Cellebrite Endpoint Collector, Cellebrite Endpoint Investigator, and Sumuri Recon.
β’ Collect, preserve, and analyze digital evidence in a forensically sound manner, maintaining chain of custody and evidentiary integrity throughout.
β’ Produce executive-quality investigation reports suitable for HR proceedings, legal review, litigation support, and regulatory disclosure.
eDiscovery & Legal Support
β’ Execute eDiscovery collections from Exchange/O365, cloud platforms, and endpoints in response to legal holds and regulatory requests.
β’ Work closely with Legal to scope, collect, and produce electronically stored information (ESI) with defensible methodology.
β’ Apply custodian-level data scoping, deduplication, and privilege filtering aligned with counselβs requirements.
Technical Analysis & Tooling
β’ Perform advanced log analysis in Google SecOps/Chronicle (YARA-L) and Splunk (SPL).
β’ Extract and correlate forensic artifacts from CrowdStrike Falcon EDR telemetry across endpoint and cloud workloads.
β’ Query device management platforms (JAMF, Intune, SCCM) to build custodian device profiles and establish asset attribution in support of investigations.
β’ Analyze authentication and access events across identity platforms including Azure AD, Okta, and Zscaler.
β’ Contribute to the development and refinement of internal forensic tooling, detection playbooks, and investigative frameworks.
AI-Augmented Investigation Capability
β’ Design and build AI-assisted investigative workflows using platforms such as Anthropic Claude, Microsoft Copilot, and related enterprise AI tools.
β’ Develop prompt engineering frameworks, structured analysis pipelines, and automation logic that apply large language models to forensic triage, timeline reconstruction, and report drafting.
β’ Evaluate emerging AI capabilities for investigative applicability and lead proof-of-concept development within the teamβs forensic environment.
β’ Document and operationalize AI-augmented workflows so that investigative capability is repeatable, auditable, and defensible.
Stakeholder Engagement
β’ Partner with HR, Legal, and Ethics teams as a trusted technical advisor, translating complex forensic findings into clear, actionable conclusions.
β’ Maintain strict confidentiality and exercise mature judgment when handling matters involving current and former employees at all organizational levels.
β’ Provide testimony or declarations in support of legal proceedings where required.
Required Experience
β’ 7+ years of progressive experience in digital forensics, cybersecurity investigations, or a closely related discipline.
β’ Demonstrated expertise conducting insider threat, data exfiltration, and employee misconduct investigations in enterprise environments.
β’ Proficiency with enterprise forensic platforms: Magnet AXIOM Cyber, Cellebrite Endpoint Collector and Endpoint Investigator, and Sumuri Recon or comparable tooling.
β’ Strong working knowledge of forensic imaging standards and acquisition methodologies β including write-blocking, hash verification, and documented chain of custody β consistent with industry frameworks such as ACPO, SWGDE, or equivalent.
β’ Hands-on proficiency with EDR platforms β particularly CrowdStrike Falcon β for behavioral analysis, process telemetry, and forensic artifact review.
β’ Strong working knowledge of Microsoft 365 forensics: Exchange Online mail flow and Recoverable Items, Azure AD sign-in and audit logs, Purview Compliance, and MDE.
β’ Solid understanding of endpoint forensics across Windows and macOS: file system artifacts, registry analysis, prefetch/MRU data, browser forensics, and OS-level event logs.
β’ Working knowledge of cloud and SaaS forensic investigation: OAuth and SAML authentication flows, conditional access logs, cloud storage access patterns, and admin audit trails.
β’ Familiarity with network-layer investigation fundamentals: DNS, proxy, VPN, and firewall log analysis sufficient to reconstruct data movement and access patterns.
β’ Proficiency in Google SecOps/Chronicle (YARA-L) for investigation and threat hunting.
β’ Experience using device management platforms (JAMF, Intune, SCCM) for custodian device attribution and asset profiling in the context of investigations.
β’ Proven ability to produce legally defensible, executive-quality investigation reports with precise evidentiary grounding.
β’ Experience supporting eDiscovery processes, including ESI collection, legal hold execution, and custodian data scoping.
AI Capability Building β Required
β’ This team actively develops AI-augmented investigative workflows. The ability to build with AI tools is a core requirement, not a nice-to-have.
β’ Demonstrated hands-on experience using large language model (LLM) platforms β such as Anthropic Claude or Microsoft Copilot β to augment investigative, analytical, or reporting workflows.
β’ Ability to design and implement structured prompting frameworks, analysis pipelines, or automation logic that apply AI to forensic use cases such as timeline synthesis, log triage, anomaly narration, or report generation.
β’ Comfort evaluating AI-generated output critically β understanding where LLM reasoning aids investigation and where human judgment must govern evidentiary conclusions.
β’ Experience or strong aptitude for building lightweight investigative tooling using Python, PowerShell, or similar, with AI as a reasoning or enrichment layer.
Preferred Qualifications
β’ Experience working within or directly supporting corporate Legal, HR, or Ethics functions on sensitive employment or litigation matters.
β’ Solid grounding in incident response methodology β including initial triage, scoping, containment sequencing, and post-incident analysis β with experience leading or co-leading high-impact security incidents.
β’ Proficiency in Google SecOps/Chronicle and Splunk (SPL).
β’ Familiarity with Zscaler proxy log analysis and cloud access security broker (CASB) telemetry.
β’ Prior experience testifying or providing declarations in legal, arbitration, or regulatory proceedings.
β’ Relevant certifications: GCFE, GCFA, EnCE, CFCE, CISSP, or equivalent.
What You Need to Succeed
β’ Beyond technical skill, this role demands a specific kind of professional character. You will routinely handle information that is legally privileged, deeply sensitive, and consequential for the individuals and the company involved.
β’ Absolute discretion and professional confidentiality β without exception.
β’ The ability to operate independently with minimal oversight, making sound judgments under ambiguity.
β’ Strong analytical and critical thinking skills; comfort working with incomplete or conflicting data.
β’ Clear, precise written and verbal communication β you know how to write for a legal audience without over-qualifying.
β’ A bias toward evidence: you document what the data shows, and you resist pressure to overreach beyond what the evidence supports.
β’ Comfort engaging with executives, legal counsel, HR leadership, and external parties in a professional, measured manner.
β’ A collaborative mindset β this team is small, trusted, and operates as a unit.
What Makes This Role Unique
β’ This is not a typical SOC or DFIR role. You will be embedded in one of the most consequential investigative functionsβ one that operates with the full trust and authority of Legal, HR, and the executive team. Your work will directly influence employment decisions, litigation strategy, and enterprise security posture.
β’ You will have access to the full breadth of the enterprise forensic environment and the latitude to build, improve, and innovate within it. AI integration and forensic tooling development are active areas of investment for this team, and you will have a meaningful role in shaping how those capabilities evolve.
Confidentiality Notice
β’ This job requisition contains sensitive information about team structure, tooling, and investigative scope. It is intended for internal HR and recruiting use only and should not be distributed externally without review and approval from the hiring manager.
Compensation
β’ Compensation: Competitive W2 (Non-Exempt) hourly compensation based on experience, technical expertise, and overall qualifications. Please discuss your target rate with your recruiter during the screening process.
Senior Analyst, Investigations and Forensics
Overview
β’ Investigations & Forensics | Security, Legal & Ethics Support
β’ Reports to the Manager, Investigations & Forensics
β’ Department: Cybersecurity β Investigations & Forensics
β’ Level: Individual Contributor (Senior)
β’ Employment Type: Contract-to-Hire (Full-Time)
β’ Location: Remote β United States (EST availability required)
β’ Travel: Minimal; core working hours overlap with EST timezone; occasional domestic travel for incident response and evidence collection as required
About the Team
β’ The Investigations & Forensics team is our specialized internal investigative function, operating at the intersection of cybersecurity, employment law, ethics, and regulatory compliance. The team serves as the primary technical investigative arm supporting Human Resources, Legal, and the Ethics & Compliance function, and acts as the Advanced Forensic Tier for the Security Incident Response Team (SIRT).
β’ The work handled by this team is among the most sensitive and consequential at the company. Matters can involve personnel at any level of the organization, active legal proceedings, and regulatory inquiries β all carrying significant employment, financial, and reputational risk. All work product is created under legal privilege and subject to strict confidentiality protocols.
Role Overview
β’ We are seeking a Senior Analyst, Investigations and Forensics on a contract-to-hire basis who will serve as the teamβs deep technical specialist for endpoint, cloud, and identity forensics. This individual will independently lead and execute complex investigations across insider threat, employee misconduct, IP theft, fraud, ethics breaches, and security incidents, producing legally defensible findings that can support HR actions, litigation, regulatory response, and executive decision-making. Success in this role can lead to a permanent full-time position within the team.
β’ This is not a purely reactive role. The successful candidate will contribute to proactive detection capability development, forensic tooling, and the integration of AI into investigative workflows. They will be expected to exercise strong independent judgment, communicate with precision, and maintain the highest standards of evidentiary integrity.
What You Will Do
Forensic Investigations
β’ Lead and execute end-to-end digital forensic investigations across endpoint, cloud, email, identity, and SaaS environments.
β’ Conduct deep-dive analysis for insider threat, data exfiltration, IP theft, fraud, employee misconduct, and ethics matter investigations.
β’ Support SIRT as the Advanced Forensic Tier on high-severity security incidents β establishing attribution, root cause, and precise forensic timelines.
β’ Perform forensic imaging and acquisition of endpoints and storage media in accordance with established forensic standards and chain of custody protocols, ensuring evidence integrity from collection through analysis.
β’ Conduct structured forensic analysis using industry-standard platforms including Magnet AXIOM Cyber, Cellebrite Endpoint Collector, Cellebrite Endpoint Investigator, and Sumuri Recon.
β’ Collect, preserve, and analyze digital evidence in a forensically sound manner, maintaining chain of custody and evidentiary integrity throughout.
β’ Produce executive-quality investigation reports suitable for HR proceedings, legal review, litigation support, and regulatory disclosure.
eDiscovery & Legal Support
β’ Execute eDiscovery collections from Exchange/O365, cloud platforms, and endpoints in response to legal holds and regulatory requests.
β’ Work closely with Legal to scope, collect, and produce electronically stored information (ESI) with defensible methodology.
β’ Apply custodian-level data scoping, deduplication, and privilege filtering aligned with counselβs requirements.
Technical Analysis & Tooling
β’ Perform advanced log analysis in Google SecOps/Chronicle (YARA-L) and Splunk (SPL).
β’ Extract and correlate forensic artifacts from CrowdStrike Falcon EDR telemetry across endpoint and cloud workloads.
β’ Query device management platforms (JAMF, Intune, SCCM) to build custodian device profiles and establish asset attribution in support of investigations.
β’ Analyze authentication and access events across identity platforms including Azure AD, Okta, and Zscaler.
β’ Contribute to the development and refinement of internal forensic tooling, detection playbooks, and investigative frameworks.
AI-Augmented Investigation Capability
β’ Design and build AI-assisted investigative workflows using platforms such as Anthropic Claude, Microsoft Copilot, and related enterprise AI tools.
β’ Develop prompt engineering frameworks, structured analysis pipelines, and automation logic that apply large language models to forensic triage, timeline reconstruction, and report drafting.
β’ Evaluate emerging AI capabilities for investigative applicability and lead proof-of-concept development within the teamβs forensic environment.
β’ Document and operationalize AI-augmented workflows so that investigative capability is repeatable, auditable, and defensible.
Stakeholder Engagement
β’ Partner with HR, Legal, and Ethics teams as a trusted technical advisor, translating complex forensic findings into clear, actionable conclusions.
β’ Maintain strict confidentiality and exercise mature judgment when handling matters involving current and former employees at all organizational levels.
β’ Provide testimony or declarations in support of legal proceedings where required.
Required Experience
β’ 7+ years of progressive experience in digital forensics, cybersecurity investigations, or a closely related discipline.
β’ Demonstrated expertise conducting insider threat, data exfiltration, and employee misconduct investigations in enterprise environments.
β’ Proficiency with enterprise forensic platforms: Magnet AXIOM Cyber, Cellebrite Endpoint Collector and Endpoint Investigator, and Sumuri Recon or comparable tooling.
β’ Strong working knowledge of forensic imaging standards and acquisition methodologies β including write-blocking, hash verification, and documented chain of custody β consistent with industry frameworks such as ACPO, SWGDE, or equivalent.
β’ Hands-on proficiency with EDR platforms β particularly CrowdStrike Falcon β for behavioral analysis, process telemetry, and forensic artifact review.
β’ Strong working knowledge of Microsoft 365 forensics: Exchange Online mail flow and Recoverable Items, Azure AD sign-in and audit logs, Purview Compliance, and MDE.
β’ Solid understanding of endpoint forensics across Windows and macOS: file system artifacts, registry analysis, prefetch/MRU data, browser forensics, and OS-level event logs.
β’ Working knowledge of cloud and SaaS forensic investigation: OAuth and SAML authentication flows, conditional access logs, cloud storage access patterns, and admin audit trails.
β’ Familiarity with network-layer investigation fundamentals: DNS, proxy, VPN, and firewall log analysis sufficient to reconstruct data movement and access patterns.
β’ Proficiency in Google SecOps/Chronicle (YARA-L) for investigation and threat hunting.
β’ Experience using device management platforms (JAMF, Intune, SCCM) for custodian device attribution and asset profiling in the context of investigations.
β’ Proven ability to produce legally defensible, executive-quality investigation reports with precise evidentiary grounding.
β’ Experience supporting eDiscovery processes, including ESI collection, legal hold execution, and custodian data scoping.
AI Capability Building β Required
β’ This team actively develops AI-augmented investigative workflows. The ability to build with AI tools is a core requirement, not a nice-to-have.
β’ Demonstrated hands-on experience using large language model (LLM) platforms β such as Anthropic Claude or Microsoft Copilot β to augment investigative, analytical, or reporting workflows.
β’ Ability to design and implement structured prompting frameworks, analysis pipelines, or automation logic that apply AI to forensic use cases such as timeline synthesis, log triage, anomaly narration, or report generation.
β’ Comfort evaluating AI-generated output critically β understanding where LLM reasoning aids investigation and where human judgment must govern evidentiary conclusions.
β’ Experience or strong aptitude for building lightweight investigative tooling using Python, PowerShell, or similar, with AI as a reasoning or enrichment layer.
Preferred Qualifications
β’ Experience working within or directly supporting corporate Legal, HR, or Ethics functions on sensitive employment or litigation matters.
β’ Solid grounding in incident response methodology β including initial triage, scoping, containment sequencing, and post-incident analysis β with experience leading or co-leading high-impact security incidents.
β’ Proficiency in Google SecOps/Chronicle and Splunk (SPL).
β’ Familiarity with Zscaler proxy log analysis and cloud access security broker (CASB) telemetry.
β’ Prior experience testifying or providing declarations in legal, arbitration, or regulatory proceedings.
β’ Relevant certifications: GCFE, GCFA, EnCE, CFCE, CISSP, or equivalent.
What You Need to Succeed
β’ Beyond technical skill, this role demands a specific kind of professional character. You will routinely handle information that is legally privileged, deeply sensitive, and consequential for the individuals and the company involved.
β’ Absolute discretion and professional confidentiality β without exception.
β’ The ability to operate independently with minimal oversight, making sound judgments under ambiguity.
β’ Strong analytical and critical thinking skills; comfort working with incomplete or conflicting data.
β’ Clear, precise written and verbal communication β you know how to write for a legal audience without over-qualifying.
β’ A bias toward evidence: you document what the data shows, and you resist pressure to overreach beyond what the evidence supports.
β’ Comfort engaging with executives, legal counsel, HR leadership, and external parties in a professional, measured manner.
β’ A collaborative mindset β this team is small, trusted, and operates as a unit.
What Makes This Role Unique
β’ This is not a typical SOC or DFIR role. You will be embedded in one of the most consequential investigative functionsβ one that operates with the full trust and authority of Legal, HR, and the executive team. Your work will directly influence employment decisions, litigation strategy, and enterprise security posture.
β’ You will have access to the full breadth of the enterprise forensic environment and the latitude to build, improve, and innovate within it. AI integration and forensic tooling development are active areas of investment for this team, and you will have a meaningful role in shaping how those capabilities evolve.
Confidentiality Notice
β’ This job requisition contains sensitive information about team structure, tooling, and investigative scope. It is intended for internal HR and recruiting use only and should not be distributed externally without review and approval from the hiring manager.
Compensation
β’ Compensation: Competitive W2 (Non-Exempt) hourly compensation based on experience, technical expertise, and overall qualifications. Please discuss your target rate with your recruiter during the screening process.






