Gaming Principal, Cloud Threat Detection & Incident Response Engineer
Microsoft
We are seeking a Gaming Principal, Cloud Threat Detection & Incident Response Engineer to lead the strategic maturity of cloud-native security capabilities across Microsoft Gaming. This high-impact technical leadership role will define and advance the use of Azure’s security stack—including Microsoft Defender for Cloud, Sentinel, Entra ID, MDE, and related cloud telemetry—to detect, investigate, and rapidly respond to threats. You will set the architectural direction for cloud TDIR, build scalable detection and automation frameworks, and guide engineering teams toward a unified, cloud-centric security posture across Xbox, Activision Blizzard King, and ZeniMax.
Success in this role requires technical expertise, effective communication, and a collaborative mindset. You will bring others together to develop common solutions, mentor senior engineers, and influence cloud architecture decisions to improve visibility and reduce attack surface. The ideal candidate thrives in dynamic environments and embodies Microsoft’s values of respect, integrity, accountability, and inclusion.
Responsibilities
Architect and drive Gaming’s cloud-first detection and response vision by integrating Azure, AWS, and GCP (Google Cloud Platform) native security services and telemetry sources into TDIR (Threat Detection, Investigation, and Response) workflows
Lead adoption and optimization of Microsoft Defender for Cloud, Sentinel, Entra ID security, Defender for Cloud Apps, and other cloud-native security controls
Establish standards and reference architectures for cloud telemetry ingestion, normalization, enrichment, and threat analytics across diverse studio environments
Build and maintain high-fidelity, cloud-native detections targeting threat actors across identity, SaaS, PaaS, IaaS, and Kubernetes environments
Develop behavioral detections leveraging KQL (Kusto Query Language), automation, analytics, and ML-assisted methodologies
Partner with threat intelligence to map adversary TTPs (Tactics, Techniques, and Procedures) to cloud control surfaces and turn insights into durable detection engineering roadmaps
Serve as principal technical authority during major cloud-related incidents, providing expert guidance on identity compromise, lateral movement, key/material theft, resource manipulation, and multi-cloud attack paths
Formalize standards for cloud investigations, including telemetry requirements, visibility gaps, and automated triage workflows
Drive post-incident cloud hardening by influencing product teams, studio engineering, and platform owners
Architect and implement automation for detection deployment, evidence collection, containment, and remediation using Azure Functions, Logic Apps, and modern SOAR patterns
Champion CI/CD pipelines, version-controlled detection repositories, automated testing, and change management for cloud detections
Mentor senior engineers, scale cloud security knowledge across the organization, and raise the technical bar for the Gaming TDIR function
Partners with cross-functional teams to define and architect automation to improve effectiveness and efficiencies of security operations, resolving issues with new processes as needed.
Leads the development and/or implementation of automated and artificial intelligence (AI) solutions that minimize and/or resolve incidents.
Drives security automation and tooling initiatives, integrating security checks into CI/CD pipelines to improve consistency and scale
Oversees the utilization of automation and AI to prioritize and drive improvements to products, services, and solutions.
Acts as a key escalation point for security incidents, collaborating with incident responders to investigate, remediate, and improve system resilience.
Develops and implements security policy and standards across teams and services. Preemptively evaluates security policy and standards to identify critical gaps and leads the development of strategies to drive improvements and implement new controls.
Qualifications
Required Qualifications:
- Doctorate in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 4+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 6+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
- OR equivalent experience.
Preferred Qualifications:
10+ years of hands-on experience in cloud security engineering, threat detection, incident response, or security architecture
- 10+ years of experience in Cyber Security
4+ years of hands-on experience with AWS, GCP (Google Cloud Platform), or Azure security detection and threat-hunting strategies
Demonstrated ability to influence engineering groups and lead during high-severity cloud incidents
Understanding of KQL/Splunk SPL, Python, or other automation tooling languages, and cloud-focused investigation patterns
Understanding of modern adversary behavior in identity-centric and cloud-native environments
Experience with multi-cloud detection strategies
Background in cloud telemetry engineering, logging architecture, or distributed signal processing
Experience with large-scale or highly federated environments spanning multiple business units
Familiarity with game hosting services, analytics pipelines, or live-service architecture
#GamingJobs
Security Operations Engineering IC5 - The typical base pay range for this role across the U.S. is USD $139,900 - $274,800 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $188,000 - $304,200 per year.
Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here:
https://careers.microsoft.com/us/en/us-corporate-pay
This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.
Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.