The following content displays a map of the jobs location - Welwyn Garden City

Principal Incident Responder (DFIR)

Job Reference tesco/TP/11428279/753035

Number of Positions:
Contract Type:
Full time - permanent
Working Hours:
Welwyn Garden City
Closing Date:
Job Category:
Business Unit:
GB Head Office

What’s in it for you

We offer excellent benefits that help make Tesco a great place to work!  These include but are not limited to:

  • Annual bonus scheme of up to 45% of base salary
  • Car allowance of £7320 per annum
  • Holiday starting at 25 days plus a personal day (and bank holidays)
  • Private medical insurance offered through Bupa
  • Retirement savings plan – save between 4% and 7.5% and Tesco will match your contribution
  • Life Assurance at 5x contractual pay
  • Buy as you earn and Save as you earn share schemes

About the role

We are seeking a Principal Incident Responder to join the Tesco cyber security team in the UK. Our ideal candidate will have a working knowledge of leading incident response at scale, along with experience of intrusion analysis, digital forensics, threat hunting, and an understanding of retail, e-commerce, payment, and fulfilment systems.  This role will suit someone best with a strong analytical mindset, who enjoys problem solving, and whose approach is to ‘leave no stone unturned’.

We value a fast and agile response for intrusion investigation over lengthy forensic processes (although on occasions these may be required), and therefore being a quick thinker, and able to work independently and as part of a large security team, will be essential. We also value the approach and methodology to incident response over specific security tools, scripting, or query languages.

Tesco has fully embraced devops and agile methods to develop our enterprise APIs, services, and cloud capabilities. Our 100+ delivery teams have loads of Docker, Kubernetes and microservices across Azure and AWS, and so our approach to incident response needs to work across a complex and changing Technology landscape.

You will be responsible for

  • The technical lead for cyber security incident response across the Tesco Group
  • Technical lead also on threat hunts and response for proactive exercises, including but not limited to purple team and red team exercises
  • Develop and provide training, guidance, and mentoring for more junior colleagues within DFIR and across the wider cyber security team (including those on our cyber security graduate scheme)
  • Produce intrusion reports and forensic reports, generate playbooks, and provide presentations for the wider team and management when required
  • Contribute to the design and development of our overall DFIR capability across the Tesco Group and Technology components (workstation, private cloud, public cloud, containers, etc)
  • Support external cyber security service providers when required (e.g., IR retainer services)

You will need

  • 8+ years of hands-on experienced in cyber security in roles across digital forensics and incident response
  • Experienced in various fields of forensics, covering host based (disk and memory) and network
  • Experienced with various incident response, forensic, and threat hunting methodologies and tooling
  • Working knowledge of both Windows and Linux operating systems
  • Ability to create scripts / small programs when required, using something like Python, PowerShell, Perl, or Bash
  • Ability to create detection rules and logic using something like KQL, SPL, YARA, Sigma, Suricata, Snort, etc.
  • Prepared to work non-standard hours when the needs of the business require, such as responding to an ongoing or suspected intrusion
  • Working knowledge of incident response in either AWS or Azure (and if neither then it may not be show-stopper depending on other experience)
  • Experience being the technical lead during incident / intrusion response at scale
  • Ability to effectively influence security personnel and teams during incidents for the most effective response actions, and also influence for future change (such as improvements to security controls, security monitoring, and security processes)


About us

Our vision at Tesco is to become every customer’s favourite way to shop, whether they are at home or out on the move.  Our core purpose is “Serving our customers, communities and planet a little better every day”.  Serving means more than a transactional relationship with our customers.  It means acting as a responsible and sustainable business for all stakeholders, for the communities we are part of, and for the planet.

We are proud to have an inclusive culture at Tesco where everyone truly feels able to be themselves.  At Tesco, we not only celebrate diversity, but recognise the value and opportunity it brings.  We’re committed to creating a workplace where differences are valued, and make sure that all colleagues are given the same opportunities.  We’re a big business with diverse working patterns and many business areas which means that we can find something that works for you.  Everyone is welcome at Tesco.

We have recently announced that we are moving to a more blended working week – combining office and remote working.  Our offices continue to be where we connect, collaborate and innovate.  Talk to us about how this can work for you.

Note: Should you be successful in your application, your employment will be subject to and conditional upon you providing your bank account details on your agreed start date.