OT Incident Response
Role: OT Incident Response
Location: Riyadh, Saudi Arabia
Role Summary
The OT SOC L3 Analyst is the senior technical authority within the OT SOC, responsible for advanced threat hunting, OT aware digital forensics and incident response (DFIR), detection engineering, and mentoring of L1/L2 analysts. The role leads the response to complex and high-severity OT incidents, develops the SOC's OT detection capability, and serves as the escalation point and subject matter expert for industrial threat scenarios. The analyst translates OT threat intelligence into actionable detections and drives continuous improvement of the SOC's OT defenses.
Responsibilities
- Lead investigation and response for complex, high severity and suspected targeted attacks against OT/ICS environments.
- Perform proactive, hypothesis-driven threat hunting across OT networks and assets; design and run hunt campaigns.
- Conduct OT aware DFIR forensic acquisition and analysis of ICS hosts, engineering workstations, HMIs, controllers and network captures using methods that preserve process safety and evidence integrity.
- Design, build and tune detection content and correlation rules; own the detection engineering lifecycle for the OT SOC.
- Operationalize OT threat intelligence (e.g., threat groups such as ELECTRUM/Sandworm and XENOTIME; malware such as TRITON/TRISIS, Industroyer and PIPEDREAM) and map it to detections via MITRE ATT&CK for ICS.
- Define, document and continuously improve OT incident-response playbooks and runbooks.
- Serve as senior escalation point and mentor for L1/L2 analysts; provide technical coaching and quality review of investigations.
- Lead and support OT tabletop exercises and purple team / adversary-emulation activities.
- Advise on OT network architecture, segmentation and monitoring placement to close detection gaps.
- Produce executive and technical incident reports; brief stakeholders on root cause, impact and remediation.
- Support compliance, audit and regulatory reporting aligned to NCA OTCC-1:2022, ECC and ISA/IEC 62443, including incident-notification expectations to the NCA.
Qualifications
- Bachelor's degree in Cybersecurity, Computer/Electrical/Instrumentation Engineering or a related field (Master's a plus).
- 6–10+ years of cybersecurity experience, with a minimum of 4 years in OT/ICS security operations, DFIR or threat hunting.
- Deep expertise in OT protocols and ICS architectures (DCS, SCADA, PLC, SIS) and the Purdue model.
- Proven experience leading OT/ICS incident response and forensic investigations.
- Strong command of OT monitoring platforms (Nozomi, Claroty, Dragos, Tenable OT, Defender for IoT) and SIEM detection engineering (Splunk, QRadar, Sentinel).
- Advanced working knowledge of MITRE ATT&CK for ICS, NIST SP 800-82, ISA/IEC 62443 and NCA OTCC.
Preferred Certifications
GRID, GCIP, GICSP, GCFA or GREM (GIAC) strongly preferred • Vendor expert-level certifications (Dragos, Claroty, Nozomi).
Skills & Attributes
- Expert analytical, forensic and reverse-engineering / malware-analysis aptitude in an OT context.
- Strong leadership, mentoring and stakeholder-management skills.
- Sound judgment in balancing cybersecurity response against process safety and operational availability.
- Excellent written and verbal communication in English; Arabic strongly preferred for regulator and executive engagement.
- Available for on-call escalation and incident leadership outside normal hours.
Riyadh
Requesting an Accommodation
Accenture is committed to providing equal employment opportunities for persons with disabilities or religious observances, including reasonable accommodation when needed. If you are hired by Accenture and require accommodation to perform the essential functions of your role, you will be asked to participate in our reasonable accommodation process. Accommodations made to facilitate the recruiting process are not a guarantee of future or continued accommodations once hired.
If you would like to be considered for employment opportunities with Accenture and have accommodation needs such as for a disability or religious observance, please call us toll free at 1 (877) 889-9009 or send us an email or speak with your recruiter.
Equal Employment Opportunity Statement
We believe that no one should be discriminated against because of their differences. All employment decisions shall be made without regard to age, race, creed, color, religion, sex, national origin, ancestry, disability status, veteran status, sexual orientation, gender identity or expression, genetic information, marital status, citizenship status or any other basis as protected by federal, state, or local law. Our rich diversity makes us more innovative, more competitive, and more creative, which helps us better serve our clients and our communities.
For details, view a copy of the Accenture Equal Opportunity Statement
Accenture is an EEO and Affirmative Action Employer of Veterans/Individuals with Disabilities.
Accenture is committed to providing veteran employment opportunities to our service men and women.
Other Employment Statements
Applicants for employment in the US must have work authorization that does not now or in the future require sponsorship of a visa for employment authorization in the United States.
Candidates who are currently employed by a client of Accenture or an affiliated Accenture business may not be eligible for consideration.
Job candidates will not be obligated to disclose sealed or expunged records of conviction or arrest as part of the hiring process. Further, at Accenture a criminal conviction history is not an absolute bar to employment.
The Company will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. Additionally, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the Company's legal duty to furnish information.
California requires additional notifications for applicants and employees. If you are a California resident, live in or plan to work from Los Angeles County upon being hired for this position, please click here for additional important information.
Please read Accenture’s Recruiting and Hiring Statement for more information on how we process your data during the Recruiting and Hiring process.
We work with one shared purpose: to deliver on the promise of technology and human ingenuity. Every day, more than 775,000 of us help our stakeholders continuously reinvent. Together, we drive positive change and deliver value to our clients, partners, shareholders, communities, and each other.
We believe that delivering value requires innovation, and innovation thrives in an inclusive and diverse environment. We actively foster a workplace free from bias, where everyone feels a sense of belonging and is respected and empowered to do their best work.
At Accenture, we see well-being holistically, supporting our people’s physical, mental, and financial health. We also provide opportunities to keep skills relevant through certifications, learning, and diverse work experiences. We’re proud to be consistently recognized as one of the World’s Best Workplaces™.
Join Accenture to work at the heart of change. Visit us at www.accenture.com.