Principal Security Engineer

Principal Security Engineer at Microsoft

We are seeking an experienced and driven Principal Security Engineer to join Microsoft's STORM security research group. This high-impact role focuses on shaping the security posture of Microsoft Specialized Cloud systems from the ground up, embedding security into all development phases from design to deployment. You will lead crucial security activities, collaborate across teams, and significantly influence secure design at scale.

Responsibilities of a Principal Security Engineer

• Lead security design and architecture reviews, including comprehensive threat modeling for complex systems.
• Identify architectural vulnerabilities and provide expert guidance to engineering teams on secure design patterns.
• Collaborate effectively with security teams to proactively identify vulnerabilities and integrate security early into the product lifecycle.
• Clearly and persuasively communicate security findings to both technical and non-technical stakeholders.
• Drive security hardenings and initiate security-driven redesigns to continuously improve the overall security posture.
• Mentor junior engineers and actively promote a culture of security-first thinking throughout the organization.

Qualifications for the Role

To succeed as a Principal Security Engineer, you will need:

• Expertise in structured threat modeling and architectural risk analysis.
• Deep knowledge in one or more of the following areas:
  • Operating System internals (Windows/Linux), memory management, and secure boot.
  • Virtualization, Cloud Architecture, and Container security.
  • Application Security principles and secure software development practices across microservices, APIs, and distributed systems.
  • Cloud-native services and their security implications (e.g., identity, secrets management, service mesh, serverless).

Preferred Attributes

Ideal candidates will also demonstrate:

• A strong sense of responsibility and leadership skills.
• Excellent communication skills, capable of articulating complex security issues clearly.
• Proven ability to lead cross-functional engagements and influence product teams.
• An analytical mindset, a "learn-it-all" attitude, and strong problem-solving skills.
• Comfort navigating ambiguity and organizational complexity.

Experience & Impact

• 10+ years of experience in security engineering, architecture, or related roles.
• Demonstrated success in leading security reviews or threat modeling for large-scale systems.
• Prior experience in driving and managing internal security initiatives and integrating Secure Development Lifecycle (SDLC) concepts.
• Track record of identifying and mitigating vulnerabilities in OS, cloud, or infrastructure components.
• Proficiency in secure coding and code reviews.
• Familiarity with fuzzing and exploitation techniques.

Key skills/competency

• Security Engineering
• Threat Modeling
• Cloud Security
• Application Security
• SDLC Integration
• Vulnerability Management
• Secure Architecture
• Operating System Internals
• Virtualization Security
• Container Security