Role Summary

The Recovery and Restoration Engineer is a critical member of the Incident Management & Recovery team, responsible for rebuilding and securing infrastructure environments following ransomware or other destructive cyber incidents. This role combines strong on-premises infrastructure expertise (Active Directory, VMware/Hyper-V, storage, backups, etc.) with solid Microsoft 365 and Azure tenant recovery experience. You will manage hands-on rebuild efforts across identity, compute, storage, and cloud layers, working directly with clients, the Guidepoint Security Incident Response team, and internal engineers to restore business operations quickly, securely, and safely. This position reports to senior engineers and serves as a technical lead for junior team members on recovery engagements.

Core Responsibilities

• Manage IT recovery projects involving on-premises endpoint and network infrastructure, Azure AD, and Microsoft 365
• Develop technical remediation and restoration plans tailored to the impact of a client's environment with oversight from senior engineers
• Implement network containment on common firewall platforms in preparation for recovery efforts
• Rebuild Active Directory domains, DNS/DHCP, and GPO structures to a clean baseline
• Restore and validate virtualized workloads (VMware, Hyper-V) and critical file/application servers
• Recover and secure Azure AD identities, Conditional Access, and synchronization with on-prem AD
• Rebuild Exchange Online, SharePoint, OneDrive, and Teams configurations
• Validate and restore data from backups (Veeam, Rubrik, Datto, etc.) ensuring integrity and cleanliness
• Utilize common remote management tools to assist impacted clients remotely
• Apply industry standard Microsoft hardening guidelines throughout recovery processes
• Implement common compliance controls, such as MFA, Defender for Office 365, and Purview
• Develop automation scripts (PowerShell/Python) for recurring recovery workflows
• Document rebuilt configurations and provide client recommendations for hardening and post-incident validation
• Mentor and provide technical guidance to junior engineers during recovery engagements
• Participate in after-hours response rotations
• Travel to client sites as required to perform critical recovery activities and on-site validation (up to 50%)

Required Competencies

Technical Expertise

• Strong knowledge of Windows Server, Active Directory, Azure AD, and Microsoft 365 administration
• Solid experience with VMware or Hyper-V virtualization platforms
• Proficiency in PowerShell scripting (experience with AzureAD, ExchangeOnline, Graph API modules preferred)
• Working knowledge of backup restoration workflows and immutable storage systems
• Strong understanding of identity security, Conditional Access, Defender for Cloud Apps, and Exchange Online Protection
• Experience with common firewall platforms and network segmentation concepts

Recovery & Security Mindset

• Proven experience in recovery or rebuild scenarios post-incident (ransomware or other destructive attacks)
• Ability to identify common persistence mechanisms and rebuild clean environments under tight timelines
• Working knowledge of NIST CSF, CIS benchmarks, and insurance-driven recovery requirements
• Understanding of threat actor tactics and methods to ensure complete remediation

Collaboration & Leadership

• Strong communication and documentation skills across technical and non-technical stakeholders
• Proven ability to work alongside IR firms, legal counsel, and insurers during live recovery engagements
• Capable of guiding junior engineers and contributing to structured rebuild methodologies
• Ability to manage multiple priorities and coordinate with various teams during high-pressure situations

Professional Attributes

• Calm and decisive under pressure; able to prioritize critical-path recovery items
• Highly organized with a disciplined approach to communicating recovery milestones, task tracking, and reporting
• Willingness to travel up to 50% to client environments as needed for hands-on rebuilds and validation
• Self-motivated with strong problem-solving skills and attention to detail

Preferred Background

• 4–7 years of experience in infrastructure engineering roles, preferably within consulting, MSP, or IR/recovery efforts
• Microsoft certifications (e.g., AZ-104, MS-100, MS-500) or equivalent enterprise experience
• Experience with one or more EDR or security platforms (CrowdStrike, SentinelOne, Defender)
• Demonstrated scripting or automation experience, showing ability to accelerate recovery processes
• Previous experience in high-pressure IT environments or incident response scenarios