What you'd actually do

Design and execute purple team simulations that emulate real-world threat actors, techniques, and campaigns across endpoint, identity, cloud, and email surfaces, incorporating both human-driven and agentic execution models.

Partner closely with Microsoft Defender engineering, research, and threat intelligence teams to evaluate detection coverage, investigation quality, and response effectiveness.

Analyze telemetry using Kusto / KQL to validate detection logic, uncover gaps, and measure signal quality at scale.

Translate attacker tradecraft into actionable insights for defenders, including detection recommendations, telemetry requirements, and investigation improvements.

Design, build, and leverage AI-enabled and agentic systems to automate simulation workflows, generate attack variations, validate detections, and accelerate post-simulation analysis.

Skills

Required

Doctorate in Statistics, Mathematics, Computer Science, Computer Security, or related field
3+ years experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection
Ability to meet Microsoft, customer and/or government security screening requirements

Nice to have

Doctorate in Statistics, Mathematics, Computer Science, Computer Security, or related field
5+ years experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection
8+ years of incident response, threat hunting, and/or SOC experience
Experience leveraging and producing threat intelligence at the campaign or actor level
Advanced knowledge of MITRE ATT&CK and threat modeling methodologies
Security related certifications such as: GCIA, GMON, GCIH, CISA

Overview

Security is one of the most critical priorities for our customers in a world of growing digital threats, regulatory scrutiny, and estate complexity. Microsoft Security aspires to make the world safer by empowering every user, customer, and developer with a security cloud that delivers end-to-end, simplified protection. The Microsoft Security organization advances this mission by helping secure digital technology platforms, devices, and clouds across customers’ heterogeneous environments, while also protecting Microsoft’s internal estate. Our culture is grounded in a growth mindset, inspiring excellence, and enabling teams and leaders to bring their full potential each day.

The Microsoft Threat Protection Research (MTP-R) Purple Team sits at the intersection of offense, defense, and intelligence, working across Microsoft Defender technologies to ensure telemetry, detections, and protections are effective against real-world cyberattacks. We are looking for a principal-level security researcher with deep experience in threat operations and Defender tooling to help design, execute, and analyze advanced adversary simulations, collaborate with engineering and detection teams, and translate attacker tradecraft into measurable defensive improvements across Microsoft’s security stack. This role is expected to operate in an AI-first environment, leveraging agentic systems and LLM-driven workflows to scale simulation design, automation, and validation beyond traditional human-driven approaches.

This role is for someone who has lived in blue teams or SOCs, understands how detections succeed or fail in practice, and wants to influence security outcomes at a global scale. You will help define how AI-enabled security research is performed, shaping how agentic systems participate in both offensive simulation and defensive evaluation.

Responsibilities

As a Principal Security Researcher on the MTP Research Purple Team, you will: · Design and execute purple team simulations that emulate real-world threat actors, techniques, and campaigns across endpoint, identity, cloud, and email surfaces, incorporating both human-driven and agentic execution models. · Partner closely with Microsoft Defender engineering, research, and threat intelligence teams to evaluate detection coverage, investigation quality, and response effectiveness. · Analyze telemetry using Kusto / KQL to validate detection logic, uncover gaps, and measure signal quality at scale. · Translate attacker tradecraft into actionable insights for defenders, including detection recommendations, telemetry requirements, and investigation improvements. · Apply frameworks such as MITRE ATT&CK to map adversary behavior, identify coverage gaps, and communicate findings clearly to technical and non-technical audiences. · Leverage and contribute to threat intelligence by both consuming real-world campaign data and producing new insights through simulation outcomes, TTP discovery, and adversary emulation research. · Design, build, and leverage AI-enabled and agentic systems to automate simulation workflows, generate attack variations, validate detections, and accelerate post-simulation analysis. · Evaluate the effectiveness of AI-driven detections and defenses, identifying strengths, gaps, and opportunities for improvement across agentic security capabilities. · Contribute to written simulation reports, executive presentations, and technical documentation that influence product and security strategy.

Qualifications

Minimum Qualifications:

Doctorate in Statistics, Mathematics, Computer Science, Computer Security, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection.

Other Requirements:

Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings:

Microsoft Cloud Background Check:

This position will be required to pass the Microsoft background and Microsoft Cloud background check upon hire/transfer and every two years thereafter.

Preferred Qualifications:

Doctorate in Statistics, Mathematics, Computer Science, Computer Security, or related field AND 5+ years experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection.
8+ years of incident response, threat hunting, and/or SOC experience.
Experience leveraging and producing threat intelligence at the campaign or actor level.
Advanced knowledge of MITRE ATT&CK and threat modeling methodologies.
Security related certifications such as: GCIA, GMON, GCIH, CISA .

#MSFTSecurity

Security Research IC5 - The typical base pay range for this role across the U.S. is USD $142,800 - $274,800 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $188,000 - $304,200 per year.

Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here: https://careers.microsoft.com/us/en/us-corporate-pay

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about **requesting accommodations.**