Insider Threat & Cyber Investigations Lead

The Insider Threat & Cyber Investigations Lead is responsible for conducting high-risk, complex insider threat investigations involving cybersecurity, financial misconduct, intellectual property theft, unauthorized modifications, engineering production abuse, and data exfiltration. This role focuses on investigating identified threats produced by the Information Security Engineering team or from other internal reporting.

The investigator will conduct technical investigations, guide OSINT research, perform subject interviews, evidence collection, data deletion, and asset retrieval, while ensuring adherence to employment law, corporate policies, and regulatory requirements. This role requires deep technical expertise in digital forensics, cloud security, log analysis, and enterprise forensic tools while maintaining strong legal acumen to manage sensitive cases involving corporate risk, HR, and compliance considerations.

A Typical Day:1. Technical Investigations

• Investigate identified insider threat cases escalated from the Information Security Engineering team, including:
• Financial misconduct
• Engineering production abuse (e.g., code manipulation, unauthorized system modifications, data sabotage)
• Intellectual property theft & unauthorized data exfiltration
• Legal escalations involving executive personnel
• Conduct structured investigative interviews with subjects and relevant stakeholders to validate findings and gather additional intelligence.
• Collaborate/coordinate with engineering teams for the forensic collection of digital evidence from endpoints (Windows, macOS, Chrome OS), cloud storage, and mobile devices (iOS, Android).
• Perform custom high-severity data deletions and secure asset retrieval in compliance with legal, regulatory, and corporate policies.

2. Digital Forensics & Technical Analysis

• Perform log analysis and coordinate/perform event queries across enterprise systems, including:
• Windows Event Viewer, MacOS Console, Chrome OS logs
• Cloud platform logs (AWS, Azure, GCP)
• Enterprise applications and security logs
• Analyze structured and unstructured data to correlate insider threat behaviors and support investigation findings.
• Utilize and collaborate with Information Security on queries (SQL, Security logs) to extract forensic evidence from company databases, endpoints, and cloud storage systems.
• Maintain a deep understanding of technical evidence, forensic artifacts, and the digital environments in which insider threat activities occur.

3. Legal Acumen, Compliance, and Executive Reporting

• Ensure investigations adhere to employment law, corporate policies, data privacy regulations, and commercial legal frameworks.
• Collaborate with Legal, HR, Privacy, and Compliance teams to assess corporate risk, legal exposure, and remediation strategies.
• Provide clear, structured briefings on high-profile cases to executive leadership and cross-functional security teams.
• Lead post-mortem reviews to refine investigative methodologies and implement lessons learned.

Your Expertise:

• 10-12 years of experience in insider threat investigations, security, digital forensics, or related industries.
• Proven experience conducting high-risk, legally sensitive investigations involving corporate executives and critical business functions.
• Strong expertise in Windows, MacOS, and Chrome OS forensic tools.
• Experience in SQL-based forensic data correlation and behavioral anomaly analysis.
• Strong employment legal and commercial legal acumen, with experience handling workplace investigations and regulatory compliance.

Technical Proficiency:

• Expertise in digital forensic tools.
• Advanced knowledge of Windows Event Viewer, MacOS Console, Chrome OS system logs for forensic evidence retrieval.
• Strong expertise and skills in investigating cloud environments and Kubernetes.
• Experience with high-severity data deletion and asset retrieval in corporate environments.
• Ability to conduct investigative interviews and communicate findings clearly and effectively to legal, HR, and security teams.

Preferred Certifications:

• Sans GIAC, GCFA, or GCFE (Advanced Digital Forensics)
• CISSP
• AWS/Google/Azure Security certificaitions
• CompTIA Cloud+Kubernetes Security or Fundamentals

Location: Remote- USA

This position is US - Remote Eligible. The role may include occasional work at an Airbnb office or attendance at offsites, as agreed to with your manager. While the position is Remote Eligible, you must live in a state where Airbnb, Inc. has a registered entity. Click here for the up-to-date list of excluded states. This list is continuously evolving, so please check back with us if the state you live in is on the exclusion list . If your position is employed by another Airbnb entity, your recruiter will inform you what states you are eligible to work from.

Our Commitment To Inclusion & Belonging:

Airbnb is committed to working with the broadest talent pool possible. We believe diverse ideas foster innovation and engagement, and allow us to attract creatively-led people, and to develop the best products, services and solutions. All qualified individuals are encouraged to apply.

We strive to also provide a disability inclusive application and interview process. If you are a candidate with a disability and require reasonable accommodation in order to submit an application, please contact us at: [email protected]. Please include your full name, the role you’re applying for and the accommodation necessary to assist you with the recruiting process. 

We ask that you only reach out to us if you are a candidate whose disability prevents you from being able to complete our online application.