Principal Microsoft Defender XDR, IRM & Deception Engineer

WTW


Job Location:

Reigate - UK

Monthly Salary: Not Disclosed
Posted on: 2 days ago
Vacancies: 1 Vacancy

Job Summary

Description

The Principal Microsoft Defender XDR IRM & Deception Engineer working within the Global Information and Cyber Security Defence (ICSD) function is the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem. The role focuses on building operating and continuously evolving an enterprise-grade Insider Risk Management (IRM) and deception programme - including honeypots honeytokens decoy users decoy devices deceptive credentials and breadcrumbs - fully integrated with Microsoft Defender XDR (Defender for Endpoint Defender for Identity Defender for Office 365 and Defender for Cloud Apps) Microsoft Sentinel and Microsoft Security Copilot.

The role exists to detect adversaries earlier in the kill chain by deceiving attackers into engaging with high-fidelity traps while delivering unified detection automated investigation and response across endpoint identity email and cloud workloads. It combines deep deception engineering expertise with hands-on Defender XDR mastery and the use of Agentic AI to drive proactive intelligence-led and largely autonomous security operations.

The Role:

  • Deception Engineering Leadership
    • Own and lead the enterprise cyber deception programme end-to-end including strategy architecture deployment operations and continuous improvement.
    • Design deploy and operate a layered deception fabric across on-premises hybrid and multi-cloud environments using honeypots honeytokens decoy accounts decoy devices deceptive files / shares and breadcrumbs.
    • Act as the technical authority for deception engineering and Microsoft Defender XDR across the enterprise.
  • Honeypots Honeytokens Decoys & Breadcrumbs
    • Design and operate the full deception asset lifecycle ensuring high-fidelity low-noise detections that are realistic attacker-grade and resilient to evasion.
    • Deploy and manage Microsoft Defender for Identity deceptive accounts deceptive devices and honeytoken accounts across Active Directory and Microsoft Entra ID.
    • Build and maintain a portfolio of deception assets including:
      • Honeypot systems (low- medium- and high-interaction) across on-prem Azure AWS GCP and OCI
      • Honeytoken credentials API keys OAuth tokens secrets and SaaS accounts
    • Decoy users decoy devices decoy shares decoy files and decoy databases
      • Plant attacker-grade breadcrumbs across endpoints identities and cloud workloads including:
      • Saved credentials browser cookies RDP and SSH artefacts
      • LSASS-resident credentials and cached tokens on selected lures
      • Fake Kerberos service accounts and SPNs to bait Kerberoasting and AS-REP roasting
    • Continuously evolve deception techniques lure design and trap placement aligned to current attacker TTPs red-team findings and breach intelligence.
    • Govern the deception programme with clear standards for asset realism segmentation monitoring and safe operation (no production impact).
    • Validate deception coverage through red-team purple-team and breach-and-attack simulation (BAS) exercises.
  • Microsoft Defender XDR Leadership
    • Lead the design implementation and optimisation of Microsoft Defender XDR across endpoint identity email and cloud-app workloads.
    • Integrate all deception signals (honeypot honeytoken decoy breadcrumb) into Defender XDR and Microsoft Sentinel as first-class high-fidelity detections.
    • Define and enforce a unified detection and response strategy across the Microsoft security stack.
  • Defender for Identity & Identity Deception
    • Lead operation and optimisation of Microsoft Defender for Identity (MDI) to detect identity-based attacks including:
      • Credential theft Kerberoasting AS-REP roasting Pass-the-Hash and Pass-the-Ticket
      • Lateral movement reconnaissance and privilege escalation
      • Misuse of deceptive / honeytoken accounts as early-warning tripwires
    • Integrate MDI deception and Microsoft Entra ID signals into Defender XDR Microsoft Sentinel and SOAR workflows for unified investigation and response.
  • Data Protection DLP & Insider Risk Management

    • Lead the design and implementation of Microsoft Purview Data Loss Prevention (DLP) policies across endpoints cloud apps and collaboration platforms
    • Define and enforce data protection controls to prevent unauthorised data exfiltration and misuse
    • Leverage Microsoft Insider Risk Management (IRM) to detect risky user behaviour including data leaks policy violations and insider threats
    • Correlate DLP IRM and identity signals with Microsoft Defender XDR to provide unified incident context
    • Collaborate with Risk Compliance and Legal teams to align DLP and insider risk controls with regulatory and business requirements
    • Continuously optimise detection use cases combining identity data and behavioural analytics
  • Endpoint Email & Cloud App Detection
    • Lead detection engineering across the Defender XDR stack ensuring deception assets are continuously monitored alongside production telemetry:
    • Microsoft Defender for Endpoint (MDE) - EDR policies ASR rules and decoy-device monitoring
    • Microsoft Defender for Office 365 (MDO) - anti-phishing Safe Links Safe Attachments and honeytoken inboxes
    • Optimise automatic attack disruption automated investigation and response (AIR) and self-healing capabilities to:
      • Disrupt in-progress attacks at machine speed including deception-triggered intrusions
      • Reduce analyst workload through high-confidence automation
      • Improve coverage for ransomware BEC and identity-based attacks
      • Ensure consistent telemetry ingestion and detection parity across Windows macOS Linux mobile and deception assets.
  • Multi-Cloud Deception & Detection (AWS GCP OCI)
    • Extend the deception programme and Defender-style detection capabilities consistently across AWS GCP and OCI including:
    • Cloud honeypots decoy IAM roles and honeytoken cloud credentials / API keys
    • Control-plane workload container and Kubernetes threat detection
    • Cross-cloud identity and access misuse detection
    • Ensure consistent detection deception and response coverage across hybrid and multi-cloud environments.
  • Automation Agentic AI & Continuous Improvement
    • Drive automation of deception deployment detection investigation and response workflows using Microsoft Sentinel SOAR Logic Apps and Microsoft Security Copilot.
    • Define KPIs and metrics covering deception engagement detection coverage and response maturity.
    • Continuously improve detection hunting and deception capabilities to align with emerging threats and adversary tradecraft.
  • Stakeholder Engagement & Technical Leadership
    • Lead and grow a team of Defender XDR and Deception Engineers setting technical direction standards and delivery priorities.
    • Partner with SOC CTI Identity Cloud and Engineering teams to embed deception and Defender XDR detection into all enterprise platforms.
    • Provide mentorship and leadership to deception engineers detection engineers threat hunters and SOC analysts.
    • Communicate deception strategy detection coverage residual risk and security improvements to senior stakeholders.



Qualifications

What youll bring:

Required Skills & Experience:

  • Proven experience designing and operating enterprise cyber deception programmes (honeypots honeytokens decoy users decoy devices breadcrumbs) at scale.
  • Extensive hands-on experience operating and engineering Microsoft Defender XDR (MDE MDI MDO MDA) in large enterprises.
  • Deep expertise across the Microsoft security stack including:
    • Microsoft Defender for Identity (MDI) deceptive accounts deceptive devices and honeytokens
    • Microsoft Sentinel (analytics rules workbooks hunting SOAR)
    • Microsoft Security Copilot automated investigation & response and attack disruption
    • Microsoft Defender for Cloud Apps and Defender for Cloud
  • Hands-on experience with:
    • Open-source and commercial deception / honeypot platforms (e.g. Thinkst Canary T-Pot Cowrie OpenCanary Zscaler Deception)
    • Advanced KQL for detection engineering and threat hunting at scale
    • Detection-as-code CI/CD of detection content and security content management
  • Strong knowledge of adversary tradecraft and frameworks:
    • MITRE ATT&CK MITRE Engage MITRE D3FEND and the cyber kill chain
    • Experience leveraging Agentic AI Microsoft Security Copilot or AI/ML in security operations (detection hunting IR automation).
  • Proven experience leading incident response across identity endpoint email and cloud domains.
  • Strong scripting / automation experience (PowerShell Python or equivalent).
  • Deep understanding of Zero Trust architecture and identity-centric defence.

Preferred Qualifications:

  • Experience contributing to red-team / purple-team exercises and breach-and-attack simulation (BAS) programmes.
  • Microsoft certifications:
    • Microsoft Certified: Security Operations Analyst Associate (SC-200)
    • Microsoft Certified: Azure Security Engineer Associate (AZ-500)
    • Microsoft Certified: Cybersecurity Architect Expert (SC-100)
    • Industry certifications (CISSP GCIA GCFA GCIH OSCP or equivalent)
    • Cloud certifications across AWS GCP or OCI

What we offer:

Enjoy a benefits package designed to help you thrive both professionally and personally. Youll receive 25 days of annual leave plus an extra WTW day to relax and recharge. Our comprehensive health and wellbeing offering includes private healthcare life insurance group income protection and regular health assessments all giving you peace of mind. Secure your future with our defined contribution pension scheme featuring matched contributions up to 10% from the company.

We support your growth and balance with hybrid working options access to an employee assistance programme and a fully paid volunteer day to make a difference in your community. On top of these you can opt into a variety of additional perks including an electric vehicle car scheme share scheme cycle-to-work programme dental and optical cover critical illness protection and much more. Start making the most of your career and wellbeing with a range of benefits tailored for you.

Equal Opportunity Employer

Were committed to equal employment opportunity and provide application interview and workplace adjustments and accommodations to all applicants. If you foresee any barriers from the application process through to joining WTW please email




Required Experience:

Staff IC

DescriptionThe Principal Microsoft Defender XDR IRM & Deception Engineer working within the Global Information and Cyber Security Defence (ICSD) function is the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem. The role focuse...

About Company

Company Logo

At WTW we provide data-driven, insight-led solutions in the areas of people, risk and capital.

View Profile View Profile