10 Things to Know About IR Careers With Unit 42

With the caveat that it is still incident response (IR) so it's not a perfect 9 to 5 schedule, it is the best balance I have ever found. I have had several situations over the years where life impacted work and Unit 42 leadership’s answer has always been incredibly supportive.

Unit 42 leadership has invested millions of dollars on infrastructure at-scale so we are able to do the vast majority of engagements fully remote. There are opportunities for regional and global travel in support of critical needs, our clients, for conferences, etc. .

This is the primary difference between Palo Alto Networks Unit 42 and everywhere else I have worked in the last 30 years. We are very selective in hiring because we would rather have “no hire” than a wrong hire. I’ve noticed recruiters and hiring managers make a significant effort to ensure new hires are not just highly skilled but also a person who acts in accordance with our values. It seems obvious, right?  Every employer wants a candidate that is a “good fit.” But at Unit 42, everyone here was selected because they were equal parts skilled as well as exemplifying our values. That has created the most amazing, collaboration-focused, non-information-hoarding, "free to ping me whenever you need help on something," friendly group of people I have ever seen in one place. We have consultants that have literally written books on digital forensics; we have SANS instructors employed here. We have some of the biggest names in DFIR and many more that started here as interns. And everyone is supportive of each other because incident response is a team sport.

Every single Unit 42 consultant is highly skilled at Incident Response (IR). Any forensic workstream can be handed to almost any consultant and they will either know how to do it or will be honest and say they do not. If it is the latter, no problem; none of us know everything. And that's why having such a collaborative team has been incredible. I have learned more from my peers here than anywhere I have ever been.

Want to become an expert in a particular tool or technology? Do you want to learn Linux forensics? Cloud? Memory analysis? Python for IR? We have some of the best digital forensics and incident response (DFIR) folks in the world. Many of them love to teach others and if you have something you've always wanted to learn, it is highly likely you will find senior people that would love to mentor you.

Speaking of teaching, plenty of workplaces say they offer expensive training courses, like SANS. Then when you ask for one, they either don't have the budget, or you must fight your own colleagues to get a course you need for your continuing success. Here, continuing education is a priority, with access to continuing education as a foundational element of our success as the global IR leader.

One of the worst parts of a job search is being unsure of whether to even apply for a position because you have no idea if the compensation will be absurdly low. All I can say is apply, because Unit 42’s offer will not waste your time. Palo Alto Networks is a fair pay company. We are transparent in our listings and have been recognized for industry-leading compensation.

You may read all this and say to yourself, "he has to say these things about the managers because the managers will read it, too." In my experience, the Unit 42 leadership always listens. How much would you like to be in a workplace where the leaders think YOU are the person that is most capable of telling them what is working well and what needs to be fixed? I have brought MANY complaints, requests, suggestions and general comments to them (probably too many...). Their response every time has been to listen, discuss and figure out how to solve it. It is simply incredible to see a leadership team that not only listens but wants the consultants to tell them what are the highest priority issues that deserve their attention. In fact, if you don't tell them, they will start sending anonymous surveys to find out what you think. 

Another important point is the value placed on integrity. It is a core value of Palo Alto Networks and it is not just a word. Personally, I believe you cannot know where a company places its true value until something bad happens. I have seen the Unit 42 leadership respond to many difficult situations and the response is amazing. Unit 42 leadership always seems to choose the “hard right” over the “easy wrong.” That is real integrity.

9. Principal consultants have autonomy at Unit 42

Principal consultants are the tactical leaders of Unit 42. When a prospective client reaches out to us, there are several steps and a lot of people coordinating in the background. Once those steps are complete, a principal consultant is typically the one that leads the full lifecycle of an incident response engagement. A principal will usually perform the initial engagement scoping with a client, kickoff and provision all the needed technology, request personnel that can support the particulars of that engagement, handle client meetings, lead the numerous technical workstreams, and provide updates to the client until case closure. Some principal consultants additionally choose to take on a technical workstream themselves and others prefer to mentor the case team and have them handle all technical work; both choices are completely acceptable. Principal consultants can also choose to support recruiting, blog posts, technical research, tool development, environmental hardening, or many other critical functions, but our clients’ cases are the priority focus. While we may have one large case or several smaller cases simultaneously, a great part of working at Unit 42 is that our leaders pride themselves on an empowering workplace and expect the consultants to manage the size of their own workloads. Practically speaking, on a day-to-day basis, principal consultants are mostly their own bosses here.

10. Here’s what’s important to Unit 42

Ready to apply? Take a look at what we’re going to be looking for:

• General DFIR skills 
• Experience with complex incident responses
• Having soft skills
• Exemplifying our values: collaboration, disruption, execution, inclusion and integrity 
• A desire to mentor and support your less experienced colleagues
• A unique skill that we need
• A focus on continuing education in the newest sub-fields of DFIR