Head of Azure Platform Security

Location: Leeds ICD

We have a current opportunity for a Head of Azure Platform Security on a permanent basis. The position will be based in London. For further information about this position please apply. Requirements Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent;

custom rule authoring and false-positive management at production scale Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, Crowd Strike), Intune/Jamf device management, privileged access workstations, JIT/JEA models API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, Hashi Corp Vault), and secure SDLC integration PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments Security automation and IaC:
Python, Power Shell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets management Nice to Have Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment Zero-trust architecture:
Beyond Corp, Zscaler, or equivalent; conditional access policy design and implementation DDoS mitigation, BGP security, and network resilience engineering for latency-sensitive financial infrastructure ISO 27001, SOC 2, DORA, or equivalent - hands-on implementation, not just audit participation Red team, adversarial simulation, or penetration testing programme design - experience on both sides of the exercise What We're Looking For You are a builder first and a security engineer second - meaning you solve security problems by engineering better systems, not by writing longer policies.

You find the gap before an attacker does because you have thought about how you would exploit the environment yourself. A Requirements Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent;

custom rule authoring and false-positive management at production scale Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, Crowd Strike), Intune/Jamf device management, privileged access workstations, JIT/JEA models API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, Hashi Corp Vault), and secure SDLC integration PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments Security automation and IaC:
Python, Power Shell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets management Nice to Have Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment Zero-trust architecture:
Beyond Corp, Zscaler, or equivalent; conditional access policy design and implementation DDoS mitigation, BGP security, and network resilience engineering for…