Principal Microsoft Defender XDR, IRM & Deception Engineer at WTW - ScoutJobs - The AI-curated global job board
Skip to content
WTW
Posted an hour ago

Principal Microsoft Defender XDR, IRM & Deception Engineer

WTWPrincipal Microsoft Defender XDR, IRM & Deception Engineer

Requirements

Enterprise cyber deception program design, Microsoft Defender XDR engineering, Microsoft Sentinel expertise, Advanced KQL, Scripting in PowerShell or Python, Adversary tradecraft knowledge, Incident response leadership

Skills

PythonPowerShellKQL

About the role

Responsibilities

  • Lead the end-to-end enterprise cyber deception programme, including strategy, architecture, and deployment of honeypots, honeytokens, and decoy assets.
  • Design and optimize Microsoft Defender XDR across endpoint, identity, email, and cloud-app workloads.
  • Integrate deception signals into Microsoft Sentinel and Defender XDR to create high-fidelity, automated detection and response workflows.
  • Implement Microsoft Purview DLP and Insider Risk Management (IRM) to detect and prevent unauthorized data exfiltration.
  • Extend deception and detection capabilities across multi-cloud environments including AWS, GCP, and OCI.
  • Drive security automation using Microsoft Sentinel SOAR, Logic Apps, and Microsoft Security Copilot.
  • Provide technical leadership and mentorship to a team of Defender XDR and Deception Engineers.

Requirements

  • Proven experience designing and operating enterprise-scale cyber deception programmes (honeypots, honeytokens, decoys).
  • Extensive hands-on engineering experience with the Microsoft Defender XDR stack (MDE, MDI, MDO, MDA).
  • Deep expertise in Microsoft Sentinel, including analytics rules, hunting, and SOAR.
  • Advanced proficiency in KQL (Kusto Query Language) for detection engineering and threat hunting.
  • Strong scripting and automation skills in PowerShell or Python.
  • Deep understanding of adversary tradecraft, MITRE ATT&CK, and the cyber kill chain.
  • Proven experience leading incident response across identity, endpoint, and cloud domains.

Preferred Qualifications

  • Experience with red-team/purple-team exercises and breach-and-attack simulation (BAS).
  • Microsoft certifications such as SC-200, AZ-500, or SC-100.
  • Industry certifications like CISSP, GCFA, GCIH, or OSCP.
  • Experience leveraging Agentic AI or Microsoft Security Copilot in security operations.

Benefits

  • 25 days of annual leave plus an extra WTW day.
  • Comprehensive health and wellbeing package including private healthcare and life insurance.
  • Defined contribution pension scheme with company matched contributions up to 10%.
  • Hybrid working options and a fully paid volunteer day.
  • Access to various perks including electric vehicle schemes and cycle-to-work programmes.

About the Company

WTW is a leading global advisory firm that helps clients manage risk and optimize outcomes. We provide innovative solutions across risk, broking, and human capital to help organizations navigate an increasingly complex world.

ScoutJobs Agent

Get matches like this delivered daily

Sign up free — we'll pull jobs that fit your CV from across the web and rank them for you.

Get started — it's free

Principal Microsoft Defender XDR, IRM & Deception Engineer

WTW · London

Sign up to apply