Senior Purple Team Engineer / Lead (Blue Focused)

YOUR TASKS

Key Responsibilities

Purple Team & Adversary Simulation

• Plan and execute purple team exercises aligned to real‑world threat actors (e.g., ransomware groups, APT tradecraft, insider threat).
• Design attack scenarios mapped to MITRE ATT&CK, covering initial access, persistence, lateral movement, privilege escalation, command‑and‑control, and exfiltration.
• Coordinate with Red Team and external penetration testing vendors to ensure tests are safe, controlled, and detection‑focused.
• Translate offensive findings into clear, prioritized defensive improvements with measurable outcomes.

Blue Team / Defensive Engineering (Primary Focus)

• Develop and tune SIEM detections, analytics rules, and alerts based on attack simulations and real incidents.
• Build and optimize Microsoft Sentinel analytics, KQL queries, workbooks, and automation rules.
• Improve Defender XDR detections across:
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud Apps

  Incident Response & DFIR Integration

  • Act as a senior escalation point during security incidents, especially those involving active attacker behavior.
  • Support digital forensics and incident response (DFIR) investigations on Windows and Linux endpoints.
  • Use DFIR tools and platforms (e.g., Velociraptor) for threat hunting, artifact collection, and timeline analysis.
  • Feed incident lessons learned back into detection engineering and preventive controls.

  Threat Hunting & Detection Validation

  • Conduct hypothesis‑driven threat hunts based on attacker tradecraft and threat intelligence.
  • Validate coverage of detections against known TTPs and identify detection gaps.
  • Continuously assess control effectiveness across endpoint, identity, cloud, and SaaS environments.

  Vulnerability, Exposure & Control Validation

  • Correlate vulnerability data with attacker exploitation paths and real exposure.
  • Support and validate remediation prioritization based on exploitability and business impact, not CVSS alone.
  • Partner with IT and Cloud teams to validate hardening, logging, and telemetry requirements.

  Governance, Reporting & Stakeholder Communication

  • Produce clear, executive‑level reporting from purple team exercises (findings, detection gaps, trends, maturity).
  • Align purple team outcomes with ISO/IEC 27001, NIS2, and internal ISMS requirements.
  • Contribute to security strategy, roadmap planning, and continuous improvement initiatives.
  • Mentor junior analysts and engineers across Blue and Red Team disciplines.

  Technical Environment & Stack (Required Experience)

  Core Platforms

  • Microsoft Sentinel (SIEM) – advanced KQL, analytics rules, workbooks, automation
  • Microsoft Defender XDR (Endpoint, Identity, Office 365, Cloud Apps)
  • Microsoft Entra ID (Azure AD) – identity attacks, logs, conditional access abuse
  • Microsoft Purview – audit logs, investigations (desirable)
  • Azure – logging, resource telemetry, cloud attack paths

  DFIR & Threat Hunting

  • Endpoint forensics (Windows & Linux)
  • Velociraptor or equivalent DFIR tooling
  • Memory, disk, and log‑based investigations
  • Threat intelligence integration and ATT&CK mapping

  Offensive Tooling & Techniques

  • Adversary emulation frameworks (e.g., Atomic Red Team, CALDERA)
  • Penetration testing and red team tooling (e.g., C2 frameworks, credential abuse, living‑off‑the‑land techniques)
  • Social engineering awareness (technical validation focus; not marketing‑style phishing)

  Scripting & Automation

  • PowerShell (advanced)
  • Python (working knowledge)
  • Automation of testing, detection validation, and response workflows