Principal Threat Research Lead

Overview Protecting billions of users and the world’s largest digital estates is among the hardest and highest-stakes challenges in technology. Microsoft Security exists to meet it — empowering every user, customer, and developer with end-to-end, simplified protection across heterogeneous, multi-cloud environments, while securing Microsoft’s own global estate.

Our culture is built on a growth mindset, a drive for technical excellence, and the expectation that we bring our best each day to innovations that impact billions of lives. Microsoft Security Research (MSecR) is the research engine behind Microsoft’s protection stack — turning planetary-scale telemetry, adversary intelligence, and AI-driven systems into proactive detection, disruption, and pre-emption of advanced threats.

We work across the full estate — endpoint, identity, email, cloud apps, SaaS, and multi-cloud infrastructure — shifting protection left by transforming raw signal into actionable intelligence and production-grade detections. We are actively building the next generation of agentic, AI-assisted investigation and detection systems that change how defenders operate at scale.

We are seeking a Principal Threat Research Lead to drive next-generation threat research across Threat Intelligence (TI), AI-driven analytics, and detection engineering . This is a senior leadership role that will have researchers reporting : you will set technical direction and stay deep in the craft — personally shaping research, advancing detection systems, and influencing platform-level capabilities across Microsoft Security.

You will partner closely with product, engineering, operations, and TI teams to deliver durable, scalable protection for global enterprise customers. In this role, you will operate at the intersection of threat intelligence, advanced analytics, and AI systems , leading high-impact initiatives that define how large-scale security platforms anticipate and respond to emerging threats.

You will partner closely with product, engineering, operations, and threat intelligence teams to deliver durable, scalable protection for global enterprise customers. Responsibilities We are seeking a Principal Threat Research Lead with deep expertise in threat intelligence, advanced analytics, and AI-driven detection systems.

The ideal candidate will demonstrate a proven ability to lead large-scale technical initiatives, influence platform direction, and deliver high-impact security innovations across complex, multi-cloud environments. Responsibilities include: Set technical vision for advanced threat research spanning Threat Intelligence, analytics, and AI across large-scale, cross-domain telemetry platforms — and stay hands-on enough to prove it works.

Lead deep research into emerging threats, attacker TTPs, and campaign behavior across endpoint, identity, email, cloud apps, and multi-cloud surfaces — translating insight into concrete detection and response strategy. Architect AI/ML-driven detection systems — behavioral analytics, anomaly detection, and agentic / LLM-powered enrichment and investigation pipelines — including the evaluation, guardrails, and abuse-resistance (e.g. prompt-injection defense, output validation) that make them production-safe.

Operationalize intelligence-to-detection pipelines that continuously convert TI into scalable, production-grade detections, managed as detection-as-code (versioned, tested, backtested, CI-deployed). Drive detection-engineering excellence across SIEM/XDR platforms (Microsoft Defender / Sentinel) — owning measurable signal quality, broad coverage, and low false-positive rates.

Establish efficacy frameworks for detection coverage, false-negative reduction, and signal-to-noise optimization at scale, with clear metrics (precision/recall, true-alert ratio, FP/FN discovery). Individually author and ship high-fidelity detections and hunts when it matters — triaging their false positives and measuring production performance.

Drive cross-tenant signal correlation, multi-stage attack analysis, and graph-based campaign stitching as a core research capability. Collaborate cross-functionally with Product, Engineering, and Operations to productionize research into customer-facing protection.

Mentor senior researchers and engineers, setting the bar for technical depth, innovation, and execution rigor. Influence internal and industry strategy through thought leadership, leadership/customer threat briefings, research publications, and contributions to the security community.

What success looks like A working intel-to-detection pipeline shipping a steady cadence of validated, low-FP detections into production. Measurable improvement in coverage and false-negative discovery across at least one attack domain. AI/agentic capability moved from research prototype to evaluated, guard-railed production use.

Qualifications Required 12+ years of experience in threat research, threat intelligence, detection engineering, or security analytics within large-scale, complex environments. Proven ability to lead and individually execute advanced research on emerging threats across cloud, identity, endpoint, and multi-domain attack surfaces.

Demonstrated expertise in at least one core domain—Threat Intelligence, AI/ML for Security, or Security Analytics—with strong cross-domain proficiency. Hands-on experience designing and shipping high-fidelity detection strategies on SIEM/XDR platforms (Microsoft Defender / Sentinel), with a track record of managing false positives and measuring detection efficacy.

Depth in at least one major cloud (Azure preferred) and solid working knowledge of modern multi-cloud attack vectors. Strong proficiency in data analysis and engineering tools (e.g., KQL, Python, ADX and notebook-driven exploration) and experience working with large-scale analytical pipelines.

Proven ability to independently drive ambiguous, high-impact technical problems to completion. Ability to influence cross-functional teams and communicate complex technical concepts to diverse audiences, including leadership and customers. Strongly preferred Experience with AI/agentic systems for security — RAG over intel, LLM evaluation, guardrails, and defense against model abuse.

Cross-tenant signal correlation, multi-stage attack analysis, or graph-based campaign stitching. Data-science rigor: feature engineering, model evaluation, and detection drift/decay monitoring. Adversary emulation, malware analysis, or reverse-engineering background.

Experience operating on customer telemetry at scale under privacy and compliance constraints This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled. Microsoft is an equal opportunity employer.

All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances.

If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.