Join a team that’s pushing the frontier of modern security research by combining deep attacker‑centric analysis with AI‑augmented, agentic investigation systems. We’re evolving security research beyond purely manual, expert‑driven workflows—amplifying researcher intuition with automation that scales discovery, accelerates investigations, and raises consistency across the board.

You’ll work on real‑world threats end‑to‑end: dissecting novel attacker techniques, developing detections grounded in adversary behavior, and shaping automated investigation pipelines that turn raw telemetry into actionable insights. A key focus area is Linux and macOS security, where you’ll help close long‑standing visibility gaps and surface emerging attack patterns that traditional approaches miss.

Your research will directly power AI‑driven campaign discovery and proactive threat hunting, enabling continuous monitoring for new attack classes and faster recognition of evolving adversary tradecraft. You’ll collaborate closely with engineering, applied ML, and product partners to translate research findings into production‑grade protections—ensuring that cutting‑edge research rapidly becomes real customer impact.

If you’re excited about doing deep technical research with outsized, at‑scale impact, and shaping how the next generation of security investigations are conducted, this team offers a rare opportunity to influence both the art and the system of modern security research.

• As a Senior Security Researcher, you will lead deep, attacker‑centric research that directly shapes Microsoft’s endpoint protection strategy.
• You will investigate real‑world adversary behavior, uncover emerging attack techniques, and translate research insights into scalable detections and automated investigation workflows.
• This role sits at the intersection of hands‑on threat research, AI‑augmented investigation, and platform security, with a strong focus on Linux and macOS.
• You will help evolve security research from isolated expert analysis into systematized, automation‑backed discovery that drives consistent, high‑impact customer protection.
• Lead in‑depth investigations of real‑world attacker campaigns, malware, and post‑exploitation techniques across endpoint environments, with emphasis on Linux and macOS platforms.
• Decompose attack chains, map techniques to MITRE ATT&CK, and maintain high‑fidelity adversary and TTP dossiers that inform protection strategy.
• Identify emerging attack classes, tradecraft shifts, and detection gaps before they are widely exploited.
• Design and prototype behavior‑based detections, heuristics, and research‑grade signals that can be operationalized into production protections.
• Partner with engineering and applied ML teams to translate research findings into scalable, reliable detections with clear acceptance criteria and performance trade‑offs.
• Evaluate detection efficacy using offline and online telemetry and continuously refine based on real‑world attacker behavior.
• Contribute to the design of AI‑assisted and agentic investigation pipelines that automate repetitive analysis steps and amplify researcher productivity.
• Shape how attacker techniques, evidence, and hypotheses are represented in systems that enable campaign discovery and proactive hunting at scale.
• Ensure research outputs are structured, explainable, and safe for use in automated or semi‑automated workflows.
• Act as a senior escalation point for complex security incidents, providing expert guidance on attacker behavior, containment strategies, and long‑term mitigation.
• Lead post‑incident analysis and root‑cause investigations, converting learnings into durable detection and tooling improvements.
• Work closely with security engineering, product management, and data science partners to influence roadmap priorities using evidence‑backed research insights.
• Represent security research perspectives in design reviews, detection cutlines, and protection readiness discussions.
• Contribute to internal knowledge‑sharing through technical write‑ups, reviews, and mentoring of junior researchers.

• 7+ years of hands‑on experience in security research, threat analysis, malware analysis, or detection engineering, with demonstrated depth in endpoint security.
• Strong understanding of attacker tradecraft, including persistence, privilege escalation, lateral movement, and defense evasion techniques.
• Proven experience conducting research on Linux and/or macOS internals, endpoint telemetry, or OS‑level attack surfaces.
• Proficiency in at least one scripting or systems language (e.g., Python, C/C++, Go, Rust) used for analysis, tooling, or prototyping.
• Demonstrated ability to independently drive ambiguous, open‑ended investigations from hypothesis to actionable outcome.
• Strong analytical skills for correlating noisy telemetry into attacker‑relevant signals.
• Experience translating deep technical findings into clear, decision‑ready insights for engineering and leadership audiences.
• Proven ability to collaborate effectively across research, engineering, and product teams.
• Experience mentoring or technically leading other researchers without formal people management responsibilities.
• High bar for research quality, operational security, and responsible handling of sensitive techniques and data.
• Experience operationalizing research into production detections or large‑scale protection systems.
• Familiarity with AI‑assisted analysis, automation, or agent‑based systems in security workflows.
• Prior contributions to security blogs, tools, open‑source projects, or industry research publications.
• Experience participating in or supporting external evaluations (e.g., MITRE ATT&CK, red team exercises).

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.