Gaming Principal, Cloud Threat Detection & Incident Response Engineer

Microsoft•Washington, DC

About The Position

Microsoft is committed to ensuring that we develop and deploy our AI technologies in ways that uphold our AI principles and warrant people’s trust. Here in Microsoft Gaming, we are on a mission to bring the joy and community of gaming to everyone on the planet. We deliver on that vision by putting players at the center, enabling you to play the games you want, with the people you want, anywhere you want. Gaming Player Services and Operations is at the heart of our ambition to reach billions of players across the globe, ensuring that every player feels included and engaged across Xbox. We do this through our commitment to driving operational excellence through innovation and ensuring player and partner delight across Microsoft Gaming. The Gaming Security team is dedicated to securing the joy of gaming by creating a secure and inclusive environment for players. Our mission is to safeguard assets, protect customer data, and ensure a secure play experience through collaboration with stakeholders. We utilize AI and automation to enhance threat detection and response capabilities, thereby improving efficiency and reducing operational resources. Our strategy focuses on standardizing security solutions across departments, fostering a culture of innovation, collaboration, and continuous improvement. By championing transparency, compliance, and responsible AI use, the Gaming Security team aims to build a robust security posture and maintain player trust. We are seeking a Gaming Principal, Cloud Threat Detection & Incident Response Engineer to lead the strategic maturity of cloud-native security capabilities across Microsoft Gaming. This high-impact technical leadership role will define and advance the use of Azure’s security stack—including Microsoft Defender for Cloud, Sentinel, Entra ID, MDE, and related cloud telemetry—to detect, investigate, and rapidly respond to threats. You will set the architectural direction for cloud TDIR, build scalable detection and automation frameworks, and guide engineering teams toward a unified, cloud-centric security posture across Xbox, Activision Blizzard King, and ZeniMax. Success in this role requires technical expertise, effective communication, and a collaborative mindset. You will bring others together to develop common solutions, mentor senior engineers, and influence cloud architecture decisions to improve visibility and reduce attack surface. The ideal candidate thrives in dynamic environments and embodies Microsoft’s values of respect, integrity, accountability, and inclusion.

Requirements

Doctorate in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 4+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response OR Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 6+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
OR equivalent experience.

Nice To Haves

10+ years of hands-on experience in cloud security engineering, threat detection, incident response, or security architecture
10+ years of experience in Cyber Security
4+ years of hands-on experience with AWS, GCP (Google Cloud Platform), or Azure security detection and threat-hunting strategies
Demonstrated ability to influence engineering groups and lead during high-severity cloud incidents
Understanding of KQL/Splunk SPL, Python, or other automation tooling languages, and cloud-focused investigation patterns
Understanding of modern adversary behavior in identity-centric and cloud-native environments
Experience with multi-cloud detection strategies
Background in cloud telemetry engineering, logging architecture, or distributed signal processing
Experience with large-scale or highly federated environments spanning multiple business units
Familiarity with game hosting services, analytics pipelines, or live-service architecture
#GamingJobs

Responsibilities

Architect and drive Gaming’s cloud-first detection and response vision by integrating Azure, AWS, and GCP (Google Cloud Platform) native security services and telemetry sources into TDIR (Threat Detection, Investigation, and Response) workflows
Lead adoption and optimization of Microsoft Defender for Cloud, Sentinel, Entra ID security, Defender for Cloud Apps, and other cloud-native security controls
Establish standards and reference architectures for cloud telemetry ingestion, normalization, enrichment, and threat analytics across diverse studio environments
Build and maintain high-fidelity, cloud-native detections targeting threat actors across identity, SaaS, PaaS, IaaS, and Kubernetes environments
Develop behavioral detections leveraging KQL (Kusto Query Language), automation, analytics, and ML-assisted methodologies
Partner with threat intelligence to map adversary TTPs (Tactics, Techniques, and Procedures) to cloud control surfaces and turn insights into durable detection engineering roadmaps
Serve as principal technical authority during major cloud-related incidents, providing expert guidance on identity compromise, lateral movement, key/material theft, resource manipulation, and multi-cloud attack paths
Formalize standards for cloud investigations, including telemetry requirements, visibility gaps, and automated triage workflows
Drive post-incident cloud hardening by influencing product teams, studio engineering, and platform owners
Architect and implement automation for detection deployment, evidence collection, containment, and remediation using Azure Functions, Logic Apps, and modern SOAR patterns
Champion CI/CD pipelines, version-controlled detection repositories, automated testing, and change management for cloud detections
Mentor senior engineers, scale cloud security knowledge across the organization, and raise the technical bar for the Gaming TDIR function
Partners with cross-functional teams to define and architect automation to improve effectiveness and efficiencies of security operations, resolving issues with new processes as needed.
Leads the development and/or implementation of automated and artificial intelligence (AI) solutions that minimize and/or resolve incidents.
Drives security automation and tooling initiatives, integrating security checks into CI/CD pipelines to improve consistency and scale
Oversees the utilization of automation and AI to prioritize and drive improvements to products, services, and solutions.
Acts as a key escalation point for security incidents, collaborating with incident responders to investigate, remediate, and improve system resilience.
Develops and implements security policy and standards across teams and services. Preemptively evaluates security policy and standards to identify critical gaps and leads the development of strategies to drive improvements and implement new controls.