New job, posted less than a week ago!
Job Details
Posted date: Jun 22, 2026
Category: Security Research
Location: Multiple Locations, Multiple Locations
Employment type: Full-Time
Work location type: 0 days / week in-office – remote
Role: Individual Contributor
Description
OverviewSecurity is one of the most critical priorities for customers operating in today’s complex and rapidly evolving threat landscape. Microsoft Security is committed to making the world a safer place by delivering an integrated security cloud that empowers users, customers, and developers with end‑to‑end, simplified protection. Our mission is to secure digital platforms, identities, devices, and cloud environments across diverse customer ecosystems while also safeguarding Microsoft’s own internal estate.
Our culture is rooted in a growth mindset, continuous learning, and a drive for excellence. We encourage teams to contribute meaningfully every day, fostering an environment where innovation thrives and creates meaningful impact for billions of people worldwide.
The Defender Experts (DEX) team plays a vital role in this mission by delivering expert‑led cybersecurity investigations at scale. By leveraging rich telemetry and signals from Microsoft 365 Defender and other Microsoft security technologies, DEX helps customers quickly understand, validate, and respond to suspicious or malicious activity in their environments.
We are seeking for Security Researchers with proven experience in security investigations, attacker tradecraft analysis, and signal correlation. In this role, you will analyze complex security data, apply deep threat‑landscape expertise, and determine whether activity represents a real threat. You will provide clear, actionable findings and recommendations that strengthen customer security. This position is well suited for security professionals who thrive on analytical problem‑solving, attacker behavior research, and impactful, customer‑focused work.
Responsibilities
Analyze and validate security alerts, anomalies, and behavioral patterns within Microsoft 365 Defender and related telemetry to validate detections and understand attacker intent.Apply attacker methodology frameworks (MITRE ATT&CK, Cyber Kill Chain) to contextualize threats, assess progression, and determine potential impact.Investigate identity centric threats, credential misuse, lateral movement, cloud-based attacks, and modern techniques commonly used in human operated ransomware, Business Email Compromise (BEC), and stealthy persistence campaigns.Correlate large and complex datasets using Kusto Query Language (KQL) and investigate tooling to uncover relationships, patterns and root cause.Differentiate benign, misconfigured, suspicious, and malicious activity with confidence, supported by defensible evidence.Deliver customer facing investigation summaries that clearly articulate what occurred, why it matters, and the recommended next steps.
Qualifications
Required Qualifications:
Bachelor's Degree in Statistics, Mathematics, Computer Science, Computer Security, or related field AND at least 2 years of experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection;OR Master's Degree in the same fields AND at least 1 year of experience in the same domains;OR equivalent experience. 3+ years of hands-on experience in one or more of the following areas:Security Operations (SOC Tier 2 or higher);Cybersecurity Investigations;Incident Response (IR); orThreat Hunting.Global collaboration is integral to our work at Microsoft, and proficiency in English is essential for effective communication in this role.Ability to work a consistent schedule from 10:00 AM to 7:00 PM Costa Rica time, aligned to either a Sunday–Thursday or Tuesday–Saturday workweek. The role also requires availability to participate in an on-call rotation, including weekend coverage, to support the Americas’ ongoing operational needs.
Preferred Qualifications:
Proven experience analyzing alerts and telemetry from EDR/XDR platforms, preferably Microsoft 365 Defender.Investigative mindset with effective critical thinking, pattern recognition, and analytical skills.Familiarity with the MITRE ATT&CK Framework and Cyber Kill Chain models for structuring and explaining investigations.Knowledge of operating system internals, OS security mitigations & understanding of Security challenges in Windows, Linux and Mac platforms.Experience performing investigations involving identity misuse, authentication anomalies, or suspicious access patterns.Effective cross-group and interpersonal skills, with the ability to articulate business need for detection improvements.Experience with direct customer communication in a service delivery role.Hands-on expertise with Microsoft 365 Defender components, including Endpoint, Identity, Cloud Apps, and Email Protection.Prior experience as a Tier-2 or Tier-3 analyst validating alerts, investigations, or threat-intelligence.Experience investigating cloud environments (Azure, AWS, GCP) and associated network telemetry.Knowledge of major cloud and productivity platforms as well as identity systems and related security concerns.Familiarity with common identity-based attacks (OAuth abuse, token theft, Kerberos/NTLM anomalies, conditional access bypass patterns).Experience with offensive security including tools such as Metasploit, exploit development, Open-Source Intelligence Gathering (OSINT), and designing ways to breach enterprise networks.
This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.
Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.