Rodeo
ResourcesPartnersSign in

WTW

Principal Microsoft Defender XDR & Deception Engineer

London
Posted 2 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Principal Microsoft Defender XDR & Deception Engineer

Principal Microsoft Defender XDR, IRM & Deception Engineer

The Principal Microsoft Defender XDR, IRM & Deception Engineer, working within the Global Information and Cyber Security Defence (ICSD) function, is the technical leader for enterprise cyber deception and unified detection and response across the Microsoft security ecosystem. This role focuses on building, operating, and continuously evolving an enterprise-grade Insider Risk Management (IRM) and deception programme, fully integrated with Microsoft Defender XDR (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps), Microsoft Sentinel, and Microsoft Security Copilot.

The position exists to detect adversaries earlier in the kill chain by deceiving attackers into engaging with high-fidelity traps, while delivering unified detection, automated investigation, and response across endpoints, identities, email, and cloud workloads. This role combines deep deception engineering expertise, hands-on Defender XDR mastery, and the use of Agentic AI to drive proactive, intelligence-led, and largely autonomous security operations.


About the Role

Key Responsibilities

Deception Engineering Leadership

  • Own and lead the enterprise cyber deception programme, end-to-end, including strategy, architecture, deployment, operations, and continuous improvement.
  • Design, deploy, and operate a layered deception fabric across on-premises, hybrid, and multi-cloud environments using:
    • Honeypots, honeytokens, decoy accounts, decoy devices, deceptive files/shares, and breadcrumbs
  • Act as the technical authority for deception engineering and Microsoft Defender XDR across the enterprise.

Detailed Expertise Areas

  • Honeypots, Honeytokens, Decoys & Breadcrumbs
    • Design and deploy a high-fidelity, low-noise deception asset lifecycle.
    • Manage decoy AWS assets, including deceptive IAM roles and honeytoken secrets.
    • Plant attacker-grade breadcrumbs in endpoints, identities, and cloud workloads, such as:
      • Saved credentials, browser cookies, RDP/SSH artefacts.
      • LSASS-resident credentials and cached tokens.
      • Fake Kerberos service accounts to bait Kerberoasting.
    • Continuously update deception tactics based on real-world attacker TTPs, breach intelligence, and purple-team findings.
    • Govern deception with standards for realism, segmentation, monitoring, and safety (no production impact).
    • Validate deception coverage via red-team, purple-team, and breach-and-attack simulations (BAS).

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

  • Microsoft Defender XDR Leadership

    • Lead the design, implementation, and optimisation of Defender XDR across endpoint, identity, email, and cloud-app workloads.
    • Integrate deception signals into Defender XDR and Microsoft Sentinel.
    • Define and enforce a unified detection and response strategy across the Microsoft security ecosystem.
  • Defender for Identity & Identity Deception

    • Lead Microsoft Defender for Identity (MDI) to detect identity-based attacks:
      • Credential theft (e.g., Kerberoasting, AS-REP roasting, Pass-the-Hash).
      • Lateral movement, reconnaissance, privilege escalation, and honeytoken misuse.
    • Correlate MDI deception signals with Microsoft Entra ID and Defender XDR/Sentinel/SOAR workflows.
  • Data Protection, DLP & Insider Risk Management

    • Lead Microsoft Purview DLP policy design and enforcement for enterprise protection.
    • Implement IRM strategies to detect insider threats, policy violations, and data misuse.
    • Correlate DLP, identity, and behavioural signals with Defender XDR for holistic intelligence.
    • Align DLP & insider risk controls with regulatory/compliance teams.
  • Endpoint, Email & Cloud App Detection

    • Optimise Defender XDR detection across MDE, MDO, and MDA to support decoy assets:
      • Microsoft Defender for Endpoint (EDR policies, automatic incident response).
      • Microsoft Defender for Office 365 (phishing defences, honeytoken inboxes).
      • Ensure detection parity across Windows, macOS, Linux, and mobile without impacting production.
    • Prioritise ransomware, BEC, and identity-attack detection via AI-driven automation.
  • Multi-Cloud Deception & Detection (AWS, GCP, OCI)

    • Extend deception capabilities across multi-cloud:
      • Cloud honeypots, deceptive IAM roles, honeytoken cloud credentials, and API keys.
      • Protection for kubernetes/k8s clusters, control-plane workloads, and containers.
    • Ensure cross-cloud security alignment.
  • Automation, AI & Continuous Improvement

    • Automate deception appraisal, detection alerting, and response workflows using Microsoft Sentinel SOAR, Logic Apps, and Security Copilot.
    • Drive AI disruptions for detection, alert management, and alert lifecycle.

Requirements

Required Skills & Experience

  • Enterprise cyber deception expertise specialising in honeypots, honeytokens, decoy users, decoys, and breadcrumbs.
  • Deep experience implementing and optimising Microsoft Defender XDR (MDE, MDI, MDA, MDO) in large-scale enterprises.
  • Profile expertise across Microsoft’s security stack, including:
    • MDI deceptive accounts, decoy devices, honeytokens.
    • Microsoft Sentinel (rules, hunting, SOAR, workbook].
    • Defender for Cloud Apps & Ltd
  • Hands-on familiarity with open-source and commercial deception platforms like:
    • Thinkst Canary, T-Pot, Cowrie, OpenCanary, Zscaler Deception
  • Advanced KQL (Kusto Query Language) for threat hunting and detection engineering.
  • Scripting proficiency (PowerShell, Python) for automation.
  • Zero Trust architecture experience with identity-centric security design.
  • Agentic AI/ML application in cyberdetection, anti-automated querying.
  • Incident response experience covering identity, endpoint, email, and cloud incidents.
  • Strong risk/regulation alignment expertise.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Preferred Qualifications

  • Contributiveness or participation in red-teaming/purple-teaming, breach simulations.
  • Microsoft certifications, e.g.:
    • SC-200 (Microsoft Certified: Security Operations Analyst)
    • AZ-500 (Microsoft Certified: Azure Security Engineer)
    • SC-100 (Microsoft Certified: Cybersecurity Architect)
  • Industry certifications including CISSP, GCIA, GCFA, (GCIH, OSCP).
  • Cloud security architecture certifications focused on AWS, GCP, or topology.

Benefits

WTW offers a comprehensive benefits package designed to support your personal and professional growth.

📅 Leave Policy

  • 25 days’ annual leave, plus a paid day to recharge, ensuring you can rejuvenate and relax.

🏥 Health & Wellbeing

  • Private healthcare for sustaining good health.
  • Group life insurance and income protection.
  • Regular employees’ health assessments.

💡 Professional & Career Growth

  • Matched defined contribution pension plan (up to 10%).
  • Hybrid working option for flexibility.

🤝 Additional Perks

  • Employee assistance programme for improved wellbeing/privacy.
  • Paid volunteering day to contribute to community initiatives.
  • Additional perks including:
    • Electric vehicle (EV) car scheme.
    • Share scheme.
    • Cycle-to-work programme.
    • Free dental and optical cover.
    • Critical illness protection insurance.

Unfolded Commitments

WTW is dedicated to creating an inclusive and equitable work environment. We aim to provide fairness from the moment you apply throughout recruitment to onboarding. If you anticipate challenges due to disability, an identified barrier or a need for adjustments, kindly reach out to the Candidate Helpdesk at candidatehelpdesk@wtwco.com.

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Microsoft Defender XDR
Deception Engineering
Incident Response
Data Loss Prevention
Identity Management
Cloud Security
Automation
Scripting
Threat Hunting
Cybersecurity
Microsoft Sentinel
Agentic AI
Zero Trust Architecture
KQL
Breach Simulation
Security Operations

Location

London, England, United Kingdom

Sign up to applySee more jobs like this