This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
Security is one of the most critical priorities for customers operating in today’s complex and rapidly evolving threat landscape. Microsoft Security is committed to making the world a safer place by delivering an integrated security cloud that empowers users, customers, and developers with end‑to‑end, simplified protection. Our mission is to secure digital platforms, identities, devices, and cloud environments across diverse customer ecosystems while also safeguarding Microsoft’s own internal estate. Our culture is rooted in a growth mindset, continuous learning, and a drive for excellence. We encourage teams to contribute meaningfully every day, fostering an environment where innovation thrives and creates meaningful impact for billions of people worldwide. The Defender Experts (DEX) team plays a vital role in this mission by delivering expert‑led cybersecurity investigations at scale. By leveraging rich telemetry and signals from Microsoft 365 Defender and other Microsoft security technologies, DEX helps customers quickly understand, validate, and respond to suspicious or malicious activity in their environments. We are seeking for Security Researchers with proven experience in security investigations, attacker tradecraft analysis, and signal correlation. In this role, you will analyze complex security data, apply deep threat‑landscape expertise, and determine whether activity represents a real threat. You will provide clear, actionable findings and recommendations that strengthen customer security. This position is well suited for security professionals who thrive on analytical problem‑solving, attacker behavior research, and impactful, customer‑focused work.
Job Responsibility
Analyze and validate security alerts, anomalies, and behavioral patterns within Microsoft 365 Defender and related telemetry to validate detections and understand attacker intent
Apply attacker methodology frameworks (MITRE ATT&CK, Cyber Kill Chain) to contextualize threats, assess progression, and determine potential impact
Investigate identity centric threats, credential misuse, lateral movement, cloud-based attacks, and modern techniques commonly used in human operated ransomware, Business Email Compromise (BEC), and stealthy persistence campaigns
Correlate large and complex datasets using Kusto Query Language (KQL) and investigate tooling to uncover relationships, patterns and root cause
Differentiate benign, misconfigured, suspicious, and malicious activity with confidence, supported by defensible evidence
Deliver customer facing investigation summaries that clearly articulate what occurred, why it matters, and the recommended next steps
Requirements
Bachelor's Degree in Statistics, Mathematics, Computer Science, Computer Security, or related field AND at least 2 years of experience in software development lifecycle, large-scale computing, threat analysis or modeling, cybersecurity, vulnerability research, and/or anomaly detection
OR Master's Degree in the same fields AND at least 1 year of experience in the same domains
OR equivalent experience
3+ years of hands-on experience in one or more of the following areas: Security Operations (SOC Tier 2 or higher)
Cybersecurity Investigations
Incident Response (IR)
or Threat Hunting
Proficiency in English
Ability to work a consistent schedule from 10:00 AM to 7:00 PM Costa Rica time, aligned to either a Sunday–Thursday or Tuesday–Saturday workweek
Availability to participate in an on-call rotation, including weekend coverage
Nice to have
Proven experience analyzing alerts and telemetry from EDR/XDR platforms, preferably Microsoft 365 Defender
Investigative mindset with effective critical thinking, pattern recognition, and analytical skills
Familiarity with the MITRE ATT&CK Framework and Cyber Kill Chain models
Knowledge of operating system internals, OS security mitigations & understanding of Security challenges in Windows, Linux and Mac platforms
Knowledge of major cloud and productivity platforms as well as identity systems and related security concerns
Familiarity with common identity-based attacks (OAuth abuse, token theft, Kerberos/NTLM anomalies, conditional access bypass patterns)
Experience with offensive security including tools such as Metasploit, exploit development, Open-Source Intelligence Gathering (OSINT), and designing ways to breach enterprise networks