Cyber Security Lead
EVOTEQ · Dubai, Dubai, United Arab Emirates
قدّم وتابع مع أبلاي إيدجONLY CANDIDATES ALREADY BASED IN DUBAI WILL BE CONSIDERED.This is a hands-on, technically deep security operations role. We want someone who does the work themselves rather than coordinating it from a distance, so this is not a pure people-management or vendor-management position.You own the technical side of how the organization detects and responds to threats across Microsoft Sentinel, Defender for Endpoint, Purview, Azure and Zscaler. You investigate incidents, write and tune detections in KQL, build automation, and go into the data yourself when something does not look right. You are responsible for SOC, Vulnerability Management and Cloud Security. Where parts of these are delivered by outsourced partners, you stay close enough to that work to question it, validate it and improve it, so the organization always has a strong technical view of what its partners are doing.You are also expected to bring AI into day-to-day security operations in a real way. That means using AI to improve detection, triage, investigation and automation, not just using tools like ChatGPT to write documents faster.Important: This is a practitioner role. You will spend real time in the consoles, the logs and live incidents. RESPONSIBILITIES:• Lead investigations into security alerts and incidents across Microsoft Sentinel and Microsoft Defender XDR (Defender for Endpoint/WDATP, Defender for Office 365, Defender for Cloud, Defender for Identity), covering triage, analysis, hunting, containment, eradication and recovery.• Act as incident commander for major and critical incidents, doing the technical analysis as well as running the response.• Write and run advanced KQL queries for investigation, hunting and detection across Sentinel and Defender XDR.• Build, tune and maintain analytics rules and use cases mapped to MITRE ATT&CK, closing detection gaps and reducing false positives yourself.• Develop and maintain SOAR automation using Sentinel playbooks and Azure Logic Apps, along with Defender automation.• Run threat hunting, purple team activities, tabletop exercises and post-incident reviews, then turn the findings into concrete technical improvements.• Find, pilot and put into production practical AI use cases across the SOC, going past general productivity use such as ChatGPT for drafting into AI that improves detection, triage, investigation and response.• Use Microsoft Security Copilot and agentic capabilities for alert triage, incident summarization, faster investigation, hunting and KQL generation.• Design and build AI-assisted and agentic automation inside Sentinel and Logic Apps, for example automated enrichment, alert correlation, triage decisions and response actions.• Bring AI and LLM capabilities (including through APIs) into detection engineering, threat intelligence processing and analyst workflows, with proper guardrails around data handling and accuracy.• Keep track of new AI for security capabilities and measure their real effect on SOC efficiency and quality.• Evaluate, design, deploy and operationalize new security solutions across the Microsoft stack and beyond.• Lead the technical delivery of security projects from proof of concept through to production.• Continuously harden the environment and improve tooling, integrations and automation across Sentinel, Defender, Purview, Azure and Zscaler.• Set and maintain secure configuration baselines and hardening standards across systems, endpoints, servers and infrastructure, and make sure they are applied and stay in place over time.• Track configuration drift, work with system and platform owners to close gaps, and keep hardening aligned with recognised good practice.• Provide security input into application security, covering secure design and development practices, review of application weaknesses, and how applications are protected and monitored in production.• Work with development and platform teams to build security into applications and their delivery, and to find and fix application-level risks.• Oversee network security controls and segmentation, review access paths and traffic flows for risk, and make sure network defences feed into detection and response.• Operate and tune Microsoft Purview information protection (sensitivity labels / AIP) and DLP policies across endpoints, email and cloud.• Investigate DLP and insider risk alerts, refine policies to cut noise, and align controls with data classification and compliance requirements.• Provide hands-on security oversight of the Azure estate, including Microsoft Defender for Cloud, posture management, identity (Entra ID) and configuration hardening.• Operate and tune Zscaler (ZIA/ZPA) policies, bring its telemetry into Sentinel, and use it in detection and response.• Work directly with platform and DevOps teams to build security into cloud pipelines and review configurations yourself.• Own the vulnerability management lifecycle on the technical side, validating findings (including Defender Vulnerability Management), applying risk-based prioritization, and checking that remediation actually closes the risk.• Operationalize threat intelligence and feed it into detections, hunts and prioritization.• For services delivered by partners, provide technical assurance by checking the quality of their detections, investigations and remediation rather than taking the output at face value.• Hold partners to high technical standards, find and close gaps, and make sure their work fits cleanly with internal operations and tooling.• Be the technically credible counterpart in any vendor relationship, based on doing the work yourself rather than delegating it.• Define and report on operational metrics such as MTTD, MTTR, MTTC, detection coverage, false-positive rate, and the impact of automation and AI.• Contribute to operational security policies, standards, runbooks and playbooks.• Provide clear, technically accurate reporting to senior stakeholders.REQUIRED QUALIFICATIONS:• Bachelor's degree in Computer Science, Information Security or a related field, or equivalent hands-on experience.• Around 10 years in cyber security, with deep hands-on experience in security operations and incident response.• Strong, demonstrable hands-on experience with the Microsoft security stack, including Sentinel, Defender XDR / Defender for Endpoint (WDATP), Azure and Purview.• A track record of personally investigating and resolving security incidents, including major ones.• Real experience applying AI and automation to security operations in an operational way, not just for productivity.• Broad knowledge across security domains, including operations, vulnerability management, cloud, identity, network, application and data protection, along with secure configuration and hardening.• Experience overseeing MSSP or outsourced delivery while staying technically involved.TECHNICAL SKILLS:• Microsoft Sentinel: analytics rules, KQL, workbooks, automation rules and playbooks (Logic Apps).• Microsoft Defender XDR (Defender for Endpoint/WDATP, Identity, Office 365, Cloud): investigation, advanced hunting, response and tuning.• Advanced KQL for hunting, detection and analysis.• Microsoft Purview: sensitivity labels / AIP and DLP policy design, tuning and investigation.• Azure security: Defender for Cloud, Entra ID, secure configuration and posture management.• Zscaler (ZIA/ZPA) policy and telemetry integration.• Secure configuration and system hardening across endpoints, servers and infrastructure.• Application security fundamentals, including secure development practices and common application weaknesses.• Network security concepts, including segmentation, access control and traffic monitoring.• Applied AI for security: Microsoft Security Copilot, agentic and automated workflows, and responsible use of LLMs and APIs in detection and response.• Scripting and automation: KQL, PowerShell and Python.• Solid grasp of incident response frameworks (NIST IR / SANS) and MITRE ATT&CK.CERTIFICATIONS (PREFERRED)• Microsoft: SC-200 (Security Operations Analyst), SC-500 (Cloud and AI Security Engineer), SC-100 (Cybersecurity Architect), SC-401 (Information Security Administrator).• GIAC hands-on certifications such as GCIH, GCIA, GCFA and GMON.• CISSP or CISM.• Zscaler certifications (ZIA/ZPA) are a plus.