Security Research Engineer, Defender Experts Team

Security Research Engineer, Defender Experts Team at Microsoft

Overview

Security represents one of the most critical priorities for customers operating in today’s complex and rapidly evolving threat landscape. Microsoft Security is dedicated to making the world a safer place by delivering an integrated security cloud that protects users, developers, and organizations with end‑to‑end, simplified solutions. Our mission is to secure digital platforms, devices, applications, identities, and cloud environments across heterogeneous customer ecosystems while also protecting Microsoft’s own internal estate.

Our culture is rooted in a growth mindset, excellence, and continuous learning. We encourage teams to bring their best every day, fostering an environment where innovation thrives and where our work positively impacts billions of people worldwide.

Within this mission, the Defender Experts (DEX) team plays a vital role by delivering expert‑led cybersecurity investigations at scale. Using rich telemetry and signals from Microsoft 365 Defender and other Microsoft security technologies, DEX helps customers rapidly understand, validate, and respond to suspicious or malicious activity. Our work gives organizations the clarity and confidence they need to strengthen their security posture.

We are seeking a Senior Security Analyst (Tier 2) with strong experience in security investigations, attacker tradecraft analysis, and multi‑signal correlation. In this role, you will analyze complex security data, apply deep knowledge of the threat landscape, and determine whether activity represents a real threat. You will deliver clear, actionable findings and recommendations that help customers protect their environment. This role requires strong investigative skills, critical thinking, and the ability to differentiate benign from malicious behavior with confidence.

This position is ideal for experienced cybersecurity professionals who thrive on analytical problem‑solving, attacker behavior research, and meaningful customer‑focused security work. It is a great opportunity for individuals motivated by impact, learning, and continuous improvement.

Availability & Schedule Flexibility

Ability to work a fixed schedule from 10:00 a.m. to 7:00 p.m., with flexibility to support weekend and holiday coverage as needed. Must also be willing to participate in an on‑call rotation to respond to high‑priority incidents or urgent operational needs.

Responsibilities

• Analyze and validate security alerts, anomalies, and behavioral patterns within Microsoft 365 Defender and related telemetry to validate detections and understand attacker intent.
• Apply attacker methodology frameworks (MITRE ATT&CK, Cyber Kill Chain) to contextualize threats, assess progression, and determine potential impact.
• Investigate identity centric threats, credential misuse, lateral movement, cloud-based attacks, and modern techniques commonly used in human operated ransomware, Business Email Compromise (BEC), and stealthy persistence campaigns.
• Correlate large and complex datasets using Kusto Query Language (KQL) and investigate tooling to uncover relationships, patterns and root cause.
• Differentiate benign, misconfigured, suspicious, and malicious activity with confidence, supported by defensible evidence.
• Deliver customer facing investigation summaries that clearly articulate what occurred, why it matters, and the recommended next steps.
• Contribute to continuous improvement efforts by identifying gaps, false positives, attacker trends, and opportunities for tooling or process enhancements.
• Stay informed on SOC and threat landscape trends, including AI driven attack automation, identity-targeted campaigns, cloud compromise techniques, and evolving redteam tradecraft.

Qualifications

• Master's Degree in Statistics, Mathematics, Computer Science, Computer Security, or related field AND 1+ year(s) experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection OR Bachelor's Degree in Statistics, Mathematics, Computer Science, Computer Security, or related field AND 2+ years experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection OR equivalent experience.
• Minimum 3 years of hands‑on experience in areas such as Security Operations (SOC Tier 2+), Cybersecurity Investigations, Incident Response, or Threat Hunting.
• Proven ability to analyze alerts and telemetry from EDR/XDR solutions—preferably Microsoft 365 Defender—and conduct investigations involving identity misuse, authentication anomalies, or suspicious access patterns.
• Solid understanding of operating system internals, security mitigations, and common threats across Windows, Linux, and Mac environments.
• Familiarity with MITRE ATT&CK and Cyber Kill Chain frameworks to structure, guide, and communicate investigative findings.
• Advanced English level.

Additional Or Preferred Qualifications

• Hands-on expertise with Microsoft 365 Defender components, including Endpoint, Identity, Cloud Apps, and Email Protection.
• Prior experience as a Tier-2 or Tier-3 analyst validating alerts, investigations, or threat-intelligence.
• Experience investigating cloud environments (Azure, AWS, GCP) and associated network telemetry.
• Knowledge of major cloud and productivity platforms as well as identity systems and related security concerns.
• Familiarity with common identity-based attacks (OAuth abuse, token theft, Kerberos/NTLM anomalies, conditional access bypass patterns).
• Experience with offensive security including tools such as Metasploit, exploit development, Open-Source Intelligence Gathering (OSINT), and designing ways to breach enterprise networks.
• Experience conveying data into clear security narratives (“tell the story”).
• Additional advanced technical degrees or cyber security certifications such as CISSP, OSCP, CEH, or GIAC.
• Investigative mindset with excellent critical thinking, pattern recognition, and analytical skills.
• Experience with direct customer communication in a service delivery role.
• Solid interpersonal and cross‑functional collaboration abilities.
• Capable of clearly articulating investigation results and translating technical insights into business‑driven recommendations for improving detection and response capabilities.

Key skills/competency

• Security Investigations
• Attacker Tradecraft Analysis
• Multi-signal Correlation
• Threat Landscape Expertise
• Microsoft 365 Defender
• Kusto Query Language (KQL)
• MITRE ATT&CK Framework
• Incident Response
• Threat Hunting
• Cybersecurity Analytics