Threat Researcher

About the Role

Abnormal Security is looking for a Threat Researcher with expertise in Microsoft cloud security, threat research, and SaaS Security Posture Management (SSPM). In this role, you will conduct deep-dive research on Microsoft cloud threats, adversary techniques, and misconfigurations, while also contributing to security posture improvements and mitigation strategies. You will work closely with R&D and Engineering teams to enhance security product capabilities, refine detections, and develop configuration playbooks for Azure, Microsoft 365, Defender Suite, and Entra ID.

Who you are

• Experienced in threat research, with a deep understanding of Microsoft cloud ecosystems, SaaS security, and identity-based threats.
• Strong knowledge of Microsoft security tools, including Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Sentinel.
• Proficient in adversary TTP analysis, phishing attack research, misconfiguration risks, and security posture hardening.
• Data-driven researcher, with experience using SQL, PySpark, KQL, and other query-based tools to analyze large datasets.
• Skilled at bridging security research with engineering, ensuring insights lead to practical security improvements.
• Comfortable working in agile, cross-functional teams, driving security posture improvements across Microsoft cloud environments.
• Strong communicator, able to deliver detailed research findings to both technical and non-technical stakeholders.

What you will do

Threat Research & Adversary Tracking

• Conduct in-depth research on Microsoft cloud security threats, phishing techniques, and identity-based attack vectors.
• Track APT groups, financially motivated actors, and cloud-native threat campaigns targeting Azure and Microsoft 365 environments.
• Analyze MFA bypass techniques, token theft, session hijacking, and adversary tactics used against Microsoft authentication mechanisms.
• Reverse-engineer phishing kits, adversary infrastructure, and cloud-native attack methodologies to enhance security insights.
• Develop threat models and in-depth attack reports to inform Microsoft-focused threat intelligence.

SSPM & Security Posture Research

• Research misconfigurations, security posture risks, and SaaS security gaps in Microsoft Entra ID, Azure AD, and M365 security settings.
• Develop SSPM research insights and contribute to configuration playbooks to improve Microsoft cloud security posture.
• Identify misconfiguration-driven threats and work with Engineering to enhance detection and mitigation strategies.
• Analyze security posture deviations that could expose Microsoft environments to account takeovers, phishing, and privilege escalation attacks.

Security Research & Cross-Functional Collaboration

• Provide deep-dive research into Microsoft cloud attack methodologies to help enhance security product capabilities.
• Work with R&D and Engineering teams to ensure research findings translate into practical security enhancements.
• Deliver technical briefings and intelligence reports on Microsoft threat trends, attacker tactics, and detection opportunities.
• Partner with internal stakeholders to evaluate emerging threats and recommend security improvements for Microsoft cloud environments.

Must Haves 

• 5+ years in threat research, cyber threat intelligence, or adversary tracking.
• 3+ years focused on Microsoft cloud security (Azure, M365, Defender, Entra ID, or Sentinel).
• Expertise in Microsoft cloud security architecture, identity protection, SaaS security, and misconfiguration risks.
• Strong data analysis skills with experience using SQL, PySpark, KQL, or similar tools to analyze cloud-based threats.
• Deep knowledge of MITRE ATT&CK, Microsoft attack techniques, and adversary tradecraft.
• Hands-on experience with Microsoft Defender for Office 365, Defender for Identity, and Microsoft Sentinel.

Nice to Have 

• Experience working with or building SSPM solutions for Microsoft cloud security posture management.
• Security certifications (GCTI, GCFA, CISSP, or Microsoft security-related).
• Experience in cloud-native security research, attack simulations, or misconfiguration exploitation analysis.
• Background in SaaS security posture analysis and cloud security hardening.

#LI-LB3