Job Description

Security represents the most critical priorities for our customers in a world awash in digital threats, regulatory scrutiny, and estate complexity. Microsoft Security aspires to make the world a safer place for all. We want to reshape security and empower every user, customer, and developer with a security cloud that protects them with end to end, simplified solutions. The Microsoft Security organization accelerates Microsoft's mission and bold ambitions to ensure that our company and industry is securing digital technology platforms, devices, and clouds in our customers' heterogeneous environments, as well as ensuring the security of our own internal estate.
Our culture is centered on embracing a growth mindset, a theme of inspiring excellence, and encouraging teams and leaders to bring their best each day. In doing so, we create life-changing innovations that impact billions of lives around the world. If you are passionate about offensive security, adversary tradecraft, and designing real-world attack simulations, the M365 Security Engineering team at Microsoft offers a unique opportunity to emulate advanced threats and strengthen defenses that protect millions of customers worldwide.
Our Assume Breach team focuses on detecting and replicating sophisticated adversary tactics, techniques, and procedures (TTPs) used against Microsoft's cloud services, platforms, and enterprise environments. We value creativity, technical depth, and collaboration--bringing together specialists in detection engineering, adversary emulation, threat intelligence, and incident response. You will join a team dedicated to catching adversaries by simulating nation-state and cybercriminal behaviors, developing custom tooling, and running purple team engagements that drive measurable security improvements and ensure our detections remain effective against evolving threats. As part of this team, you will design attack simulations that are realistic, repeatable, and reflective of the latest adversary tradecraft. You will work closely with Detection Engineers, Data Scientists, and Incident Responders to validate detection coverage, uncover blind spots, and continuously raise the bar for detection and response. Leveraging massive-scale telemetry across Microsoft 365 and Azure, you will plan and execute adversary emulation campaigns, build Python-based automation and payloads, and operationalize new TTPs--directly influencing Microsoft's ability to defend against the world's most advanced attackers.
Microsoft's mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others, and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond. In alignment with our Microsoft values, we are committed to cultivating an inclusive work environment for all employees to positively impact our culture every day.
Responsibilities:

• Plan, design, and execute adversary emulation campaigns aligned with MITRE ATT&CK and current threat intelligence.

• Develop custom scripts, payloads, and automation frameworks (primarily in Python, with PowerShell, C#, or Go as needed) to simulate advanced attacker techniques.

• Extend and maintain adversary emulation toolkits and C2 frameworks

• Collaborate with detection engineers, data scientists to validate detection efficacy, identify blind spots, and improve detection coverage against TTPs.

• Automate repeatable attack scenarios, data collection, and reporting for scale and consistency.

• Participate in purple team exercises to accelerate detection and response maturity across the M365 ecosystem.

• Document attack scenarios, technical findings, and mitigation recommendations to drive systemic improvements.

Qualifications:

• 5+ years of experience in red teaming, adversary emulation, offensive security research, or penetration testing.

• Strong Python development skills for building custom tools, automation, and attack simulations.

• Proficiency in at least one additional language (e.g., PowerShell, Go, or C#).

• Solid understanding of attacker tradecraft, including persistence, privilege escalation, lateral movement, and defense evasion.

• Experience with red team/adversary simulation frameworks (Cobalt Strike, Caldera, or similar).

• Deep knowledge of Windows internals, Active Directory, and enterprise cloud environments (Azure or equivalent).

Preferred Qualifications:

• Experience building automation pipelines for adversary simulation and reporting.

• Familiarity with Exploit Development

• Familiarity with endpoint detection and response (EDR) products and detection engineering.

• Experience in cloud-scale environments (Office 365, Azure, AWS, or GCP).

• Reverse engineering or malware development experience.

• Strong written and verbal communication skills for documenting and explaining technical findings.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the .

Skills Required