Senior Engineer - MXDR

Why this role?

Love the buzz of turning noisy security data into sharp, automated defence? At NCC Group, you’ll help well-known brands get the most from Microsoft’s security stack — designing Sentinel-led detection and response, wiring up smart SOAR playbooks, and shaping XDR strategy that actually lands. It’s hands-on, high-impact work with a team that backs experimentation, knowledge-sharing and doing things properly.

What you’ll do

• Build & tune Microsoft Sentinel: data connectors, normalisation, analytics rules, UEBA, watchlists, workbooks and cost-savvy ingestion strategies.
• Orchestrate & automate: create pragmatic SOAR playbooks (Logic Apps/Power Automate) that slash MTTR and remove toil.
• XDR in the real world: deploy and optimise Microsoft Defender XDR across endpoints, identity, email and cloud; align detections to MITRE ATT&CK and real threats.
• Hunt & respond: KQL-led threat hunting, incident triage guidance, detection content packs, purple-team style improvements.
• Secure the data: advise on Purview information protection & DLP, from policy design to pilot and rollout.
• Make it land: roadmaps, runbooks, and regular stakeholder updates — translating deep technical detail into business-ready outcomes.
• Coach & mentor: guide junior consultants; share patterns, reusable content and lessons learned.
• Shape opportunities: support presales scoping, proposals and estimation for consulting and implementation work.

What you’ll bring

• Proven experience delivering Microsoft security projects: Sentinel (must-have), Defender XDR, SOAR (Logic Apps), and Purview/DLP.
• Comfortable with KQL and scripting (PowerShell); version control with Git.
• A knack for cost optimisation (ingestion, retention, table choices, Basic vs Analytics).
• Solid consulting skills — workshops, architecture reviews, stakeholder management and great written reports.
• Familiarity with control frameworks (ISO 27001, NIST CSF/800-53, PCI DSS, GDPR) and how to evidence them in Microsoft cloud.

Nice-to-haves (not show-stoppers)

Azure Resource Manager/Bicep or IaC pipelines; Entra ID/Conditional Access; Defender for Cloud; Intune; MITRE mapping; incident response exposure; certifications such as SC-200/SC-100, CISSP/CISM, ISO 27001 LA/LI, PCI QSA.

A week in the life (example)

• Monday: run a Sentinel use-case workshop; prioritise detections that matter to the client’s threats.
• Tuesday: deploy connectors and write analytics rules; build a workbook for exec-friendly KPIs.
• Wednesday: craft SOAR playbooks to automate enrichment and ticketing; test and iterate with the SOC.
• Thursday: Threat hunt with KQL; raise tuning PRs and push improvements to content packs.
• Friday: roadmap review with stakeholders; document runbooks and handover notes; mentor a colleague.

How we work

• Pragmatic > performative. We favour simple, maintainable solutions over shiny complexity.
• Collaborative by default. You’ll have access to SMEs across NCC Group and a library of reusable content.
• Growth mindset. Conferences, labs, and time to experiment are part of the deal.
• Flexible and supportive. We embrace difference and want you to bring your authentic self to work.

About NCC Group

We’re a global cyber security company with 2,000+ colleagues supporting 15,000 customers across the UK, North America, Europe, APAC and the ME. Our mission is to help organisations protect their brand, value and reputation against an ever-evolving threat landscape. We invest in our people and operate with fairness, creativity and respect.

Inclusion & accessibility

We’re committed to diversity, equity and flexibility. If you need reasonable adjustments at any stage of the process, please let us know. We’ll handle your personal data in line with our Privacy Policy. If you’d prefer us not to retain your details for future roles, email [email protected].

Ready to apply?

If this sounds like you — but you don’t tick every single box — please still apply. We care about capability, curiosity and potential as much as keywords on a CV.