Principal Microsoft Defender XDR, IRM & Deception Engineer

London, England, United Kingdom

Principal Microsoft Defender XDR, IRM & Deception Engineer

  • 202604213
  • London, England, United Kingdom
Favoriten anzeigen

Description

The Principal Microsoft Defender XDR, IRM & Deception Engineer, working within the Global Information and Cyber Security Defence (ICSD) function, is the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem. The role focuses on building, operating, and continuously evolving an enterprise-grade Insider Risk Management (IRM) and deception programme - including honeypots, honeytokens, decoy users, decoy devices, deceptive credentials, and breadcrumbs - fully integrated with Microsoft Defender XDR (Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps), Microsoft Sentinel, and Microsoft Security Copilot.

The role exists to detect adversaries earlier in the kill chain by deceiving attackers into engaging with high-fidelity traps, while delivering unified detection, automated investigation, and response across endpoint, identity, email, and cloud workloads. It combines deep deception engineering expertise with hands-on Defender XDR mastery and the use of Agentic AI to drive proactive, intelligence-led, and largely autonomous security operations.

The Role:

  • Deception Engineering Leadership
    • Own and lead the enterprise cyber deception programme end-to-end, including strategy, architecture, deployment, operations, and continuous improvement.
    • Design, deploy, and operate a layered deception fabric across on-premises, hybrid, and multi-cloud environments using honeypots, honeytokens, decoy accounts, decoy devices, deceptive files / shares, and breadcrumbs.
    • Act as the technical authority for deception engineering and Microsoft Defender XDR across the enterprise.

       

  • Microsoft Defender XDR Leadership
    • Lead the design, implementation, and optimisation of Microsoft Defender XDR across endpoint, identity, email, and cloud-app workloads.
    • Integrate all deception signals (honeypot, honeytoken, decoy, breadcrumb) into Defender XDR and Microsoft Sentinel as first-class, high-fidelity detections.
    • Define and enforce a unified detection and response strategy across the Microsoft security stack.

       

  • Data Protection, DLP & Insider Risk Management

    • Lead the design and implementation of Microsoft Purview Data Loss Prevention (DLP) policies across endpoints, cloud apps, and collaboration platforms 
    • Define and enforce data protection controls to prevent unauthorised data exfiltration and misuse 
    • Leverage Microsoft Insider Risk Management (IRM) to detect risky user behaviour, including data leaks, policy violations, and insider threats 
    • Correlate DLP, IRM, and identity signals with Microsoft Defender XDR to provide unified incident context 
    • Collaborate with Risk, Compliance, and Legal teams to align DLP and insider risk controls with regulatory and business requirements 
    • Continuously optimise detection use cases combining identity, data, and behavioural analytics

       

  • Multi-Cloud Deception & Detection (AWS, GCP, OCI)
    • Extend the deception programme and Defender-style detection capabilities consistently across AWS, GCP, and OCI, including:
    • Cloud honeypots, decoy IAM roles, and honeytoken cloud credentials / API keys
    • Control-plane, workload, container, and Kubernetes threat detection
    • Cross-cloud identity and access misuse detection
    • Ensure consistent detection, deception, and response coverage across hybrid and multi-cloud environments.
  • Automation, Agentic AI & Continuous Improvement
    • Contribute towards automation of deception deployment, detection, investigation, and response workflows using Microsoft Sentinel SOAR, Logic Apps, and Microsoft Security Copilot.
    • Define KPIs and metrics covering deception engagement, detection coverage, and response maturity.
    • Continuously improve detection, hunting, and deception capabilities to align with emerging threats and adversary tradecraft.
  • Stakeholder Engagement & Technical Leadership
    • Lead and grow a team of Defender XDR and Deception Engineers, setting technical direction, standards, and delivery priorities.
    • Partner with SOC, CTI, Identity, Cloud, and Engineering teams to embed deception and Defender XDR detection into all enterprise platforms.
    • Provide mentorship and leadership to deception engineers, detection engineers, threat hunters, and SOC analysts.
    • Communicate deception strategy, detection coverage, residual risk, and security improvements to senior stakeholders.

Qualifications

What you'll bring:

Required Skills & Experience:

  • Hands-on experience with:
    • Open-source and commercial deception / honeypot platforms (e.g., Thinkst Canary, T-Pot, Cowrie, OpenCanary, Zscaler Deception)
    • Advanced KQL for detection engineering and threat hunting at scale
    • Detection-as-code, CI/CD of detection content, and security content management
  • Strong knowledge of adversary tradecraft and frameworks:
    • MITRE ATT&CK, MITRE Engage, MITRE D3FEND, and the cyber kill chain
    • Experience leveraging Agentic AI, Microsoft Security Copilot, or AI/ML in security operations (detection, hunting, IR, automation).

       

  • Proven experience designing and operating enterprise cyber deception programmes (honeypots, honeytokens, decoy users, decoy devices, breadcrumbs) at scale.
  • Extensive hands-on experience operating and engineering Microsoft Defender XDR (MDE, MDI, MDO, MDA) in large enterprises.
  • Deep expertise across the Microsoft security stack, including:
    • Microsoft Defender for Identity (MDI) deceptive accounts, deceptive devices, and honeytokens
    • Microsoft Sentinel (analytics rules, workbooks, hunting, SOAR)
    • Microsoft Security Copilot, automated investigation & response, and attack disruption
    • Microsoft Defender for Cloud Apps and Defender for Cloud

       

  • Proven experience leading incident response across identity, endpoint, email, and cloud domains.
  • Strong scripting / automation experience (PowerShell, Python, or equivalent).
  • Deep understanding of Zero Trust architecture and identity-centric defence.

 

Preferred Qualifications:

  • Experience contributing to red-team / purple-team exercises and breach-and-attack simulation (BAS) programmes.
  • Microsoft certifications:
    • Microsoft Certified: Security Operations Analyst Associate (SC-200)
    • Microsoft Certified: Azure Security Engineer Associate (AZ-500)
    • Microsoft Certified: Cybersecurity Architect Expert (SC-100)
    • Industry certifications (CISSP, GCIA, GCFA, GCIH, OSCP, or equivalent)
    • Cloud certifications across AWS, GCP, or OCI

What we offer:

Enjoy a benefits package designed to help you thrive, both professionally and personally. You'll receive 25 days of annual leave plus an extra WTW day to relax and recharge. Our comprehensive health and wellbeing offering includes private healthcare, life insurance, group income protection, and regular health assessments, all giving you peace of mind. Secure your future with our defined contribution pension scheme, featuring matched contributions up to 10% from the company.

We support your growth and balance with hybrid working options, access to an employee assistance programme, and a fully paid volunteer day to make a difference in your community. On top of these, you can opt into a variety of additional perks including an electric vehicle car scheme, share scheme, cycle-to-work programme, dental and optical cover, critical illness protection, and much more. Start making the most of your career and wellbeing with a range of benefits tailored for you.

Equal Opportunity Employer

We’re committed to equal employment opportunity and provide application, interview and workplace adjustments and accommodations to all applicants. If you foresee any barriers, from the application process through to joining WTW, please email candidatehelpdesk@wtwco.com

Unaufgeforderte Kontaktaufnahme

Alle unaufgeforderten Lebensläufe/Kandidatenprofile, die über unsere Website oder an persönliche E-Mail-Konten von Mitarbeitenden von Willis Towers Watson übermittelt werden, gelten als Eigentum von Willis Towers Watson und unterliegen nicht der Zahlung von Vermittlungsgebühren. Um als Personalvermittlungsagentur/Personalberatungsunternehmen für Willis Towers Watson zugelassen zu werden, muss eine solche Agentur über eine bestehende formelle schriftliche Vereinbarung verfügen, die von einem autorisierten Recruiter von Willis Towers Watson unterzeichnet wurde, und eine aktive Zusammenarbeit mit dem Unternehmen vorweisen können. Lebensläufe müssen gemäß unserem Einreichungsprozess für Bewerbungen eingereicht werden, was die aktive Beteiligung an der jeweiligen Suche beinhaltet. Ebenso werden für unsere zugelassene Personalvermittlungsagenturen/Personalberatungsunternehmen keine Vermittlungsgebühren von Willis Towers Watson gezahlt, wenn der Prozess zur Einreichung von Kandidaten nicht befolgt wird. Willis Towers Watson ist ein Arbeitgeber, der Chancengleichheit fördert. Wenn Sie möchten, dass Ihre Kontaktdaten zur Berücksichtigung für eine zukünftige Stelle gespeichert werden, senden Sie bitte eine E-Mail an: Agency.inquiries@willistowerswatson.com .

Unsere Niederlassungen

Unsere Kolleginnen und Kollegen betreuen mehr als 140 Länder und Märkte auf der ganzen Welt. Dies verleiht unseren Tätigkeiten eine globale Dimension und schafft viele aufregende Möglichkeiten für Sie, mit uns zusammenzuarbeiten und zu wachsen. Erkunden Sie die Karte unten, um zu sehen, wohin Sie Ihre Karriere führen könnte.