WTW
Principal Microsoft Defender XDR & Deception Engineer

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Principal Microsoft Defender XDR & Deception Engineer
Principal Microsoft Defender XDR, IRM & Deception Engineer
The Principal Microsoft Defender XDR, Insider Risk Management (IRM) & Deception Engineer, operating within the Global Information and Cyber Security Defence (ICSD) function, serves as the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem.
About the Role
This role focuses on building, operating, and evolving an enterprise-grade Insider Risk Management (IRM) and deception programme—including honeypots, honeytokens, decoy users, devices, credentials, and breadcrumbs—fully integrated with Microsoft Defender XDR, Microsoft Sentinel, and Security Copilot.
The primary goal is to detect adversaries earlier in the kill chain by implementing high-fidelity traps while unifying detection, automated investigation, and response across endpoints, identities, identity and cloud workloads. This position combines expertise in deception engineering with Microsoft Defender XDR mastery and harnesses Agentic AI for proactive, intelligence-led, and autonomous security operations.
Key Responsibilities
1. Deception Engineering Leadership
- Own and lead the enterprise cyber deception programme—encompassing strategy, architecture, deployment, operations, and continual improvement.
- Design, deploy, and manage a multi-layered deception fabric across on-premises, hybrid, and multi-cloud environments using:
- Honeypots, honeytokens
- Decoy accounts, devices, files/shares, and databases
- Breadcrumbs embedded across endpoints and identities
- Serve as the technical authority for both deception engineering and Microsoft Defender XDR integration across the enterprise.
2. Honeypots, Honeytokens, Decoys & Breadcrumbs
- Design and operate deception assets following a full lifecycle approach, ensuring:
- High-fidelity, low-noise detections that mimic attacker behaviour
- Realism, resilience, and resistance to evasion techniques
- Implement Microsoft Defender for Identity deceptive techniques, including:
- Deceptive accounts, devices, and honeytoken captives in Active Directory (AD) and Microsoft Entra ID.
- Deploy and manage deception portfolios such as:
- Honeypots (low-, medium-, and high-interaction) across Windows, Azure, AWS, GCP, and OCI
- Honeytokens for API keys, OAuth tokens, secrets, and SaaS credentials
- Decoy users, devices, shares, files, and databases
- Fabricate attacker-grade breadcrumbs (e.g., credentials, cookies, Kerberos artefacts, RDP/SSH traces)
- Continuously evolve deception tactics using breach intelligence, red-team findings, and threat intelligence.
- Govern deception programmes with clear standards for realism, segmentation, monitoring, and safe operations (no production impact).
- Validate coverage through red-team exercises, purple-team tests, and Breach-and-Attack Simulations (BAS).
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
3. Microsoft Defender XDR Leadership
- Drive the design, implementation, and optimisation of Microsoft Defender XDR across endpoints, identities, email, and cloud apps.
- Ensure deception signals (e.g., honeypots, honeytokens) are tightly integrated into Microsoft Defender XDR and Microsoft Sentinel for unified incident detection.
- Enforce a consistent detection and response strategy across the Microsoft security stack.
4. Defender for Identity & Identity Deception
- Lead the operation and optimisation of Defender for Identity (MDI) to detect:
- Credential theft (e.g., Kerberoasting, AS-REP Roasting, Pass-the-Hash)
- Lateral movement, privilege escalation, and reconnaissance
- Misuse of deceptive/honeytoken accounts as early-warning mechanisms
- Correlate MDI, deception, and Entra ID signals into Defender XDR, Sentinel, and SOAR workflows for streamlined investigations.
5. Data Protection, DLP & Insider Risk Management (IRM)
- Design and implement Microsoft Purview Data Loss Prevention (DLP) policies across:
- Endpoints, cloud apps, and collaboration platforms (e.g., Microsoft 365)
- Define and enforce data protection controls to prevent unauthorised exfiltration.
- Deploy Microsoft Insider Risk Management (IRM) to detect:
- Policy violations, insider threats, and abusive data behaviour
- Correlate DLP, IRM, and identity signals into Defender XDR for comprehensive incident context.
- Align DLP and IRM controls with regulatory and business compliance requirements.
- Optimise blend of identity, data, and behavioural analytics to bolster detection capability.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
6. Endpoint, Email & Cloud App Detection
- Enhance detection engineering across the Defender XDR stack, ensuring:
- Deception assets and production assets are continuously monitored with parity.
- Optimise automatic attack disruption and automated investigation/responses (AIR) across:
- Microsoft Defender for Endpoint (MDE) (e.g., ASR rules, decoy device monitoring)
- Microsoft Defender for Office 365 (MDO) (e.g., Safe Links, Safe Attachments, honeytoken inboxes)
- Drive automation to:
- Disrupt in-progress attacks in machine-speed AI ingestion
- Reduce analyst workload via high-confidence automation
- Improve protection against ransomware, BEC, identity-based attacks.
- Maintain consistent detection coverage for Windows, macOS, Linux, and mobile.
7. Multi-Cloud Deception & Detection (AWS, GCP, OCI)
- Extend deception and detection capabilities consistently across public clouds:
- Cloud honeypots, fake IAM roles, honeytokens for APIs/credential keys
- Control-plane, workload, containers, and Kubernetes threat detection
- Cross-cloud identity and access misuse detection.
- Ensure impeccable detection and response parity across hybrid and multicloud environments.
8. Automation, Agentic AI & Continuous Improvement
- Promote automation of deception workflows using:
- Microsoft Sentinel SOAR, Azure Logic Apps, and Microsoft Security Copilot.
- Define and track KPIs for deception engagement, detection coverage, and response automation.
- Continuously evolve techniques to counter emerging threats and align with evolving attacker tradecraft.
9. Stakeholder Engagement & Technical Leadership
- Lead cross-functional Defender XDR and Deception Engineering teams, defining technical direction and delivery priorities.
- Collaborate with SOC, Threat Intelligence, Identity, and Cloud Engineering teams to embed deception within enterprise security operations.
- Mentor rising talent in deception engineering, hunting, and Defender XDR.
- Translate technical strategy and residual risks for senior stakeholders.
Note: This role is critical to the organisation’s cybersecurity resilience, requiring both technical depth and strategic vision in an evolving threat landscape.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location