@sroberts advanced persistent incident responder


I am an Incident Responder with GitHub specializing in Incident Response, Intrusion Detection, and Cyber Threat Intelligence operations. I’m also one of the authors of O’Reilly’s Intelligence Driven Incident Response and instructor for SANS Forensics 578 Cyber Threat Intelligence course.

Want to know more? Lets have a conversation: s…@gmail.com

@sroberts sroberts scottroberts

Work Experience

GitHub: Manager of Security Incident Response Team

November 2012 to Current

  • Principle DFIR investigator for GitHub, the worlds repository for open & closed source software.
  • Hired & led Security Incident Response Team conducting all Incident Response & Handling, Malware Analysis, & Threat Intelligence.
  • Developed comprehensive incident response, intrusion detection, & threat intelligence capabilities.
  • Spoke at technical conferences on topics including combining devops concepts with dfir tasks and tools.

SANS: Instructor for Forensics 578

January 2017 to Current

Vigilant (Acquired by Deloitte): Senior Intelligence Specialist

February 2012 to October 2012

  • Served as a Senior Intelligence Specialist, bridging the gap between threat intelligence research & boots on the ground incident response consulting.
  • Helped guide research & development priorities for the Vigilant Intelligence team.
  • Developed passive network monitoring system for detecting APT & criminal threats inside a major telecommunications provider.
  • Developed & presented education & marketing collateral for client consumption.

ManTech Intl: SOC Technical Lead & Focused Operations Team Deputy

April 2010 to December 2011

  • Established operational priorities and procedures including technology selection, hiring, documentation, as well as acting as a subject matter expert on network monitoring.
  • Conducted investigations and incident responses as a member of the Focused Operations Investigation team.
  • Developed IDS and SIEM content for Focused Operations team to identify, track, and remediate advanced targeted attacks against the enterprise.
  • Developed Tier 1 & 2: Intrusion Analyst course along side OJT and brown bag sessions.

Mandiant (Acquired by FireEye): Security Consultant

June 2008 to April 2010

  • Acted as a subject matter expert advising federal clients on network security monitoring and security operations.
  • Developed a threat intelligence capability inside a major federal agency. Liaised with other federal agencies as well as providing regular products to the IC.
  • Responded to large scale security incidents with federal and commercial clients.

Symantec Managed Security Services: Security Analyst & Global Threat Analyst

May 2006 to June 2008

  • Conducted intrusion analysis for 450+ customers from diverse industries, validating attacks and providing tactical and strategic recommendations to clients for incident remediation and proactively preventing future attacks.
  • Provided documentation, research, handling & response instructions, to internal Symantec & customers security teams.
  • Assisted in architecting redesign of the Security Operations Center Technology Platform, creating a new world class analysis console and back end.
  • Leading the effort to redevelop six week security analyst training curriculum to develop trainee analysts to deal with emerging threats.


SANS Cyber Threat Intelligence Summit Board Member

September 2016 to Current

The Cyber Threat Intelligence Summit & Training […] aims to provide specific analysis techniques and capabilities that can be utilized to properly create and maintain Cyber Threat Intelligence in your organization.

  • Collaborated on creating the Summit theme, Call for Papers, keynote speaker selection, scored CFPs, and selected program.
  • Mentored experienced and new presenters on content, presentation design, and speaking technique.
  • Managed mentee logistics and introductions at the Summit.
  • Participated in the Board “The Spy Who Came in from the Cold” evening discussion session.

SANS Digital Forensics & Incident Response Summit Board Member

January 2017 to Current

The SANS Annual DFIR Summit is the only event of its kind that gathers the most influential group of experts, the highest quality of training & the greatest opportunities to network with others in the field of Digital Forensics & Incident Response, all in one place!

NYU Poly CSAW Advisory Board Member

December 2014 to Current

The largest student-run cyber security event in the nation, with a research conference that attracts some of the biggest names in the industry, and a career fair with an impressive list of corporate partners.

  • Participated in 2013 & 2014 events on behalf of GitHub taking part in research paper competition, CTF, & THREADS technical conference.
  • Helped improve conference structure to increase value for both students and involved corporations.



Author of O’Reilly’s Intelligence Driven Incident Response with Rebekah Brown. Here’s a summary:

Threat intelligence—understanding the who, why, and how of attacks—is most valuable when applied directly to an organization’s incident response capability for hunting and investigation. Threat intelligence has become more common and important in recent years. However, many professionals want a better understanding of how to apply this intelligence within their operations and organizations. This book explains the fundamentals of intelligence analysis and the best ways to apply it to your incident response function.

I also write on my site extensively on the topics of information security and development. Specifically I focus on Incident Response, Threat Intelligence, and Security Operations as well as Python & Go.


I’ve been lucky enough to speak at industry conferences and company events. A list of my speaking engagements, including slides and some videos, is in the Talks section of my site.



Penn State University: BS Information Science & Technology

January 2004 to May 2006

IST with a Design and Development focus. Conducted research & development for the Penn State NSA Center for Information Assurance Excellence developing course material for teaching information security.

Academic Publications