Security represents the most critical priorities for our customers in a world awash in digital threats, regulatory scrutiny, and estate complexity. Microsoft Security aspires to make the world a safer place for all. We want to reshape security and empower every user, customer, and developer with a security cloud that protects them with end to end, simplified solutions. The Microsoft Security organization accelerates Microsoft’s mission and bold ambitions to ensure that our company and industry is securing digital technology platforms, devices, and clouds in our customers’ heterogeneous environments, as well as ensuring the security of our own internal estate. Our culture is centered on embracing a growth mindset, a theme of inspiring excellence, and encouraging teams and leaders to bring their best each day. In doing so, we create life-changing innovations that impact billions of lives around the world.
The IDSEC Security team is a specialized group dedicated to safeguarding our identity products and the services that support them. We partner closely with development and operations teams to continuously improve the security posture of both customer-facing applications and our internal network. Our mission To proactively uncover and remediate vulnerabilities before they can be exploited—by executing thorough, context-driven penetration tests against complex systems and services. What we do day-to-day Threat-informed testing: We start each assessment by reviewing existing security collateral—threat models, design documents, past findings—to build deep contextual understanding. Tailored engagement: Using that context, we craft and execute high-quality pentests that focus on the most critical components of our identity platform and underlying infrastructure. Collaborative remediation: We deliver actionable findings and work hand-in-hand with engineering teams to validate fixes and ensure our defenses stay one step ahead of attackers.
Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others, and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.

QUALIFICATIONS

Required:

• Experience in vulnerability research, application pentesting, or red teaming
• Proven track record conducting complex pentests in a professional setting
• Hands-on experience developing or programming security tooling during assessments

Qualifications - Other Requirements:

• Ability to meet Microsoft, customer and/or government security screening requirements are required for this role.
• These requirements include, but are not limited to the following specialized security screenings: Microsoft Cloud Background Check: This position will be required to pass the Microsoft background and Microsoft Cloud background check upon hire/transfer and every two years thereafter.

HM Qualifications Other:

• Bachelor’s degree (or equivalent experience) in Software Engineering, Security Engineering, or Security Consultancy Hands-on Azure cloud pentesting experience
• Proficiency in at least one scripting language (e.g., Bash, Python)
• Proficiency in or strong understanding of a web programming language/framework (C#, .NET Core MVC, C/C++) 8+ years of pentesting or vulnerability research experience
• Deep knowledge of low-level concepts and advanced vulnerability research techniques
• Experience with modern AI/LLM-driven, agentic approaches to problem solving

ThreatModeling #SecurityEngineering #MSFTSecurity #CloudSecurity

Microsoft is an equal opportunity employer. Consistent with applicable law, all qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations

What We’re Looking For in a Senior Penetration Tester:

• Deep understanding of high-throughput, multi-tenant architectures.
• You’ve tested and hacked services at scale, and know how isolation boundaries can be stressed and bypassed.
• Careful test design: You break down complex systems into testable components, anticipate failure modes, and craft attacks that target realistic threat scenarios.
• Robust error handling exploitation: You recognize when error paths leak data or state, and you know how to turn gracefully handled failures into vulnerability discoveries.
• Clean, modular tooling skills: Your proof-of-concept exploits and custom scripts are well-structured, maintainable, and include tests to validate correctness.
• Automated and manual testing balance: You know when to write a quick fuzz harness or automated scanner, and when to roll up your sleeves for deep, hands-on manual analysis.
• Collaboration and communication: You partner seamlessly with developers and engineers—sharing clear, actionable findings and reproduction steps, and helping shepherd fixes to completion.
• Passion for continuous improvement: You stay current on emerging pentesting techniques, contribute to security tooling, and mentor peers to raise the bar across the team.
• Conduct security assessments of cutting-edge Identity products (e.g. Azure Active Directory) Lead threat-modeling sessions to identify and document design-level security issues Perform security code reviews across multiple languages and frameworks (C#, C/C++, .NET Core MVC)
• Analyze and exploit OAuth implementations, uncovering common and edge-case vulnerabilities
• Own end-to-end pentest engagements: scoping, execution, and delivery of clear, actionable remediation guidance
• Partner with internal stakeholders to manage engagement workflows, timelines, and expectations
• Produce high-quality written reports and communicate findings effectively to service teams