WTW
Principal Microsoft Defender XDR & Deception Engineer

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Principal Microsoft Defender XDR & Deception Engineer
Principal Microsoft Defender XDR, IRM & Deception Engineer
The Principal Microsoft Defender XDR, IRM & Deception Engineer, working within the Global Information and Cyber Security Defence (ICSD) function, is the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem. This role focuses on building, operating, and continuously evolving an enterprise-grade Insider Risk Management (IRM) and deception programme, fully integrated with Microsoft Defender XDR (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps), Microsoft Sentinel, and Microsoft Security Copilot.
The position exists to detect adversaries earlier in the kill chain by deceiving attackers into engaging with high-fidelity traps, while delivering unified detection, automated investigation, and response across endpoints, identities, email, and cloud workloads. This role combines deep deception engineering expertise, hands-on Defender XDR mastery, and the use of Agentic AI to drive proactive, intelligence-led, and largely autonomous security operations.
About the Role
Key Responsibilities
Deception Engineering Leadership
- Own and lead the enterprise cyber deception programme, end-to-end, including strategy, architecture, deployment, operations, and continuous improvement.
- Design, deploy, and operate a layered deception fabric across on-premises, hybrid, and multi-cloud environments using:
- Honeypots, honeytokens, decoy accounts, decoy devices, deceptive files/shares, and breadcrumbs
- Act as the technical authority for deception engineering and Microsoft Defender XDR across the enterprise.
Detailed Expertise Areas
- Honeypots, Honeytokens, Decoys & Breadcrumbs
- Design and deploy a high-fidelity, low-noise deception asset lifecycle.
- Manage decoy AWS assets, including deceptive IAM roles and honeytoken secrets.
- Plant attacker-grade breadcrumbs in endpoints, identities, and cloud workloads, such as:
- Saved credentials, browser cookies, RDP/SSH artefacts.
- LSASS-resident credentials and cached tokens.
- Fake Kerberos service accounts to bait Kerberoasting.
- Continuously update deception tactics based on real-world attacker TTPs, breach intelligence, and purple-team findings.
- Govern deception with standards for realism, segmentation, monitoring, and safety (no production impact).
- Validate deception coverage via red-team, purple-team, and breach-and-attack simulations (BAS).
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
-
Microsoft Defender XDR Leadership
- Lead the design, implementation, and optimisation of Defender XDR across endpoint, identity, email, and cloud-app workloads.
- Integrate deception signals into Defender XDR and Microsoft Sentinel.
- Define and enforce a unified detection and response strategy across the Microsoft security ecosystem.
-
Defender for Identity & Identity Deception
- Lead Microsoft Defender for Identity (MDI) to detect identity-based attacks:
- Credential theft (e.g., Kerberoasting, AS-REP roasting, Pass-the-Hash).
- Lateral movement, reconnaissance, privilege escalation, and honeytoken misuse.
- Correlate MDI deception signals with Microsoft Entra ID and Defender XDR/Sentinel/SOAR workflows.
- Lead Microsoft Defender for Identity (MDI) to detect identity-based attacks:
-
Data Protection, DLP & Insider Risk Management
- Lead Microsoft Purview DLP policy design and enforcement for enterprise protection.
- Implement IRM strategies to detect insider threats, policy violations, and data misuse.
- Correlate DLP, identity, and behavioural signals with Defender XDR for holistic intelligence.
- Align DLP & insider risk controls with regulatory/compliance teams.
-
Endpoint, Email & Cloud App Detection
- Optimise Defender XDR detection across MDE, MDO, and MDA to support decoy assets:
- Microsoft Defender for Endpoint (EDR policies, automatic incident response).
- Microsoft Defender for Office 365 (phishing defences, honeytoken inboxes).
- Ensure detection parity across Windows, macOS, Linux, and mobile without impacting production.
- Prioritise ransomware, BEC, and identity-attack detection via AI-driven automation.
- Optimise Defender XDR detection across MDE, MDO, and MDA to support decoy assets:
-
Multi-Cloud Deception & Detection (AWS, GCP, OCI)
- Extend deception capabilities across multi-cloud:
- Cloud honeypots, deceptive IAM roles, honeytoken cloud credentials, and API keys.
- Protection for kubernetes/k8s clusters, control-plane workloads, and containers.
- Ensure cross-cloud security alignment.
- Extend deception capabilities across multi-cloud:
-
Automation, AI & Continuous Improvement
- Automate deception appraisal, detection alerting, and response workflows using Microsoft Sentinel SOAR, Logic Apps, and Security Copilot.
- Drive AI disruptions for detection, alert management, and alert lifecycle.
Requirements
Required Skills & Experience
- Enterprise cyber deception expertise specialising in honeypots, honeytokens, decoy users, decoys, and breadcrumbs.
- Deep experience implementing and optimising Microsoft Defender XDR (MDE, MDI, MDA, MDO) in large-scale enterprises.
- Profile expertise across Microsoft’s security stack, including:
- MDI deceptive accounts, decoy devices, honeytokens.
- Microsoft Sentinel (rules, hunting, SOAR, workbook].
- Defender for Cloud Apps & Ltd
- Hands-on familiarity with open-source and commercial deception platforms like:
- Thinkst Canary, T-Pot, Cowrie, OpenCanary, Zscaler Deception
- Advanced KQL (Kusto Query Language) for threat hunting and detection engineering.
- Scripting proficiency (PowerShell, Python) for automation.
- Zero Trust architecture experience with identity-centric security design.
- Agentic AI/ML application in cyberdetection, anti-automated querying.
- Incident response experience covering identity, endpoint, email, and cloud incidents.
- Strong risk/regulation alignment expertise.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Preferred Qualifications
- Contributiveness or participation in red-teaming/purple-teaming, breach simulations.
- Microsoft certifications, e.g.:
- SC-200 (Microsoft Certified: Security Operations Analyst)
- AZ-500 (Microsoft Certified: Azure Security Engineer)
- SC-100 (Microsoft Certified: Cybersecurity Architect)
- Industry certifications including CISSP, GCIA, GCFA, (GCIH, OSCP).
- Cloud security architecture certifications focused on AWS, GCP, or topology.
Benefits
WTW offers a comprehensive benefits package designed to support your personal and professional growth.
📅 Leave Policy
- 25 days’ annual leave, plus a paid day to recharge, ensuring you can rejuvenate and relax.
🏥 Health & Wellbeing
- Private healthcare for sustaining good health.
- Group life insurance and income protection.
- Regular employees’ health assessments.
💡 Professional & Career Growth
- Matched defined contribution pension plan (up to 10%).
- Hybrid working option for flexibility.
🤝 Additional Perks
- Employee assistance programme for improved wellbeing/privacy.
- Paid volunteering day to contribute to community initiatives.
- Additional perks including:
- Electric vehicle (EV) car scheme.
- Share scheme.
- Cycle-to-work programme.
- Free dental and optical cover.
- Critical illness protection insurance.
Unfolded Commitments
WTW is dedicated to creating an inclusive and equitable work environment. We aim to provide fairness from the moment you apply throughout recruitment to onboarding. If you anticipate challenges due to disability, an identified barrier or a need for adjustments, kindly reach out to the Candidate Helpdesk at candidatehelpdesk@wtwco.com.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location