Phishing Incident Response Workflow Resume Project Example
A phishing incident response workflow that triages reported emails, enriches indicators automatically, and orchestrates containment to cut response time dramatically.
Free to start · No credit card required
ELENA ROSSI
Cybersecurity Analyst
Project
Phishing response
Automated- Automated phishing email triage and IOC enrichment.
- Orchestrated containment with SOAR playbooks.
- Cut mean time to respond on phishing reports.
Why this project is valuable
Strong IR signal
An automated phishing workflow shows incident response and SOAR automation skills that SOCs rely on daily.
Good ATS coverage
The project naturally supports incident response, SOAR, phishing, IOC enrichment, and playbook automation keywords.
Clear operational value
Faster phishing response directly reduces risk and analyst toil, an outcome hiring managers grasp instantly.
Good interview depth
You can discuss triage logic, enrichment sources, containment actions, false-positive handling, and metrics like MTTR.
Project overview
A phishing incident response workflow is strong cybersecurity analyst resume material because it shows you can automate repetitive triage and containment, turning a high-volume nuisance into a fast, consistent process.
The workflow ingests user-reported emails, extracts and enriches indicators against threat intelligence, scores risk, and orchestrates containment steps like blocking senders and pulling messages from mailboxes.
On a resume, that gives you concrete ways to describe SOAR playbook design, IOC enrichment, automated containment, false-positive handling, and the measurable drop in mean time to respond.
Architecture overview
Project flowReported email intake
User-reported phishing emails enter the workflow from a reporting button or mailbox.
Indicator extraction
URLs, attachments, and sender details are parsed into indicators for analysis.
Threat intel enrichment
Indicators are enriched against threat intelligence and sandbox verdicts automatically.
Risk scoring
Enriched signals are scored to separate true phishing from benign reports.
Automated containment
SOAR playbooks block senders, purge messages, and notify affected users.
Response metrics
Dashboards track MTTR and volume to show process improvement.
What this project includes
- Reported-email intake and parsing
- Automated IOC enrichment
- Risk scoring for triage
- SOAR containment playbooks
- Response-time metrics tracking
Tech stack
This stack is practical for SOC hiring because it shows automation and orchestration skills, not just manual email review.
SOAR
Orchestrates triage, enrichment, and containment playbooks end to end.
VirusTotal
Provides reputation and sandbox enrichment for URLs and attachments.
Microsoft 365
Supplies mail data and supports purge and block containment actions.
Python
Implements custom enrichment and parsing logic in playbooks.
Threat Intel Feeds
Supply indicator reputation context for risk scoring.
Jira
Tracks incidents and documents response actions for auditability.
Features implemented
Automated enrichment
Indicators are enriched instantly instead of analysts checking sources manually.
Consistent triage
Risk scoring applies the same logic to every report, reducing inconsistency.
Orchestrated containment
Playbooks block senders and purge messages quickly across mailboxes.
False-positive handling
Benign reports are closed automatically so analysts focus on real threats.
MTTR reduction
Automation cuts mean time to respond on phishing reports.
Auditability
Documented actions support reporting and post-incident review.
Resume bullet examples
These bullets show how to present phishing response as IR automation rather than 'handled phishing emails.'
- Built a phishing incident response workflow with SOAR playbooks that automatically enriched indicators and scored risk on user-reported emails.
- Orchestrated containment actions like sender blocking and mailbox purges to reduce mean time to respond on phishing incidents.
- Automated false-positive closure so analysts focused on genuine threats instead of triaging every benign report.
- Tracked MTTR and report volume on dashboards to demonstrate measurable response-process improvement.
Skills demonstrated
This project demonstrates strong cybersecurity analyst skills for incident response, SOAR automation, enrichment, and containment.
Incident response
Automation
Threat intel
ATS keywords extracted from this project
Use keywords that reflect IR automation and orchestration, not only the word phishing.
Interview questions based on this project
Phishing response projects often lead to questions about triage logic, containment, and avoiding harmful automation.
How did you decide what to automate?
I automated repetitive enrichment and triage first, then added containment for high-confidence cases while keeping a human in the loop for ambiguous ones.
How did you avoid bad automated actions?
I gated containment behind risk thresholds and approvals so the playbook never purged or blocked on low-confidence verdicts.
How did you measure success?
I tracked mean time to respond and report volume, showing faster, more consistent handling after automation.
How would you improve it further?
I would add user-awareness feedback, clustering of related reports into single incidents, and richer sandbox detonation.
Common mistakes
Explain automation, enrichment, and containment so it sounds like IR engineering.
Discuss approval gates so automated containment sounds safe.
Include MTTR so the impact is concrete.
Mention benign-report handling so triage quality is clear.
FAQ
Is a phishing IR workflow a good cybersecurity analyst resume project?
Yes. It demonstrates incident response, SOAR automation, and enrichment that SOC and IR roles value highly.
Do I need a commercial SOAR?
Open-source SOAR or scripted playbooks work for a portfolio, as long as the triage and containment logic is real.
Should I mention containment automation?
Yes, but explain the safety gates, since reckless automated actions are a red flag in interviews.
How many bullets should I use for this project on a resume?
Usually two to four bullets. Focus on automation, containment, and the response-time improvement.
Turn project details into resume evidence
Use this IR workflow to strengthen your cybersecurity analyst resume
Present SOAR automation, enrichment, and recruiter-friendly response-time impact with clearer wording and stronger keyword alignment.
Free to start · No credit card required