Overview We are seeking a senior cybersecurity professional to lead defender-focused (Blue Cell) capabilities within large-scale cyber exercises. This role is responsible for designing, operationalizing, and continuously improving how participants detect, investigate, and respond to adversary activity in realistic, mission-aligned scenarios. The Blue Team Lead defines the defender experience: developing workflows, training objectives, evaluation criteria, and reference materials that reflect real-world security operations. This role ensures exercises produce measurable improvements in customer detection and response capabilities across both proactive threat hunting and reactive incident response. Cyber exercises operate as live environments where timing, tooling, adversary actions, and participant behavior evolve dynamically. The Blue Team Lead ensures defender guidance is actionable, outcomes are measurable, and lessons learned translate into lasting operational improvements. Responsibilities Microsoft Federal is seeking individuals passionate about advancing cybersecurity readiness through immersive, hands-on exercises that strengthen operational resilience for U.S. Federal agencies. Ideal candidates for this role will demonstrate technical expertise, strong facilitation skills, and a commitment to driving measurable security outcomes. As a Senior Cloud Solution Architect Cybersecurity (Exercises), you will support the planning, facilitation, and delivery of immersive cybersecurity exercises for U.S. Federal customers. Working alongside senior CSAs, you will help design scenarios, operationalize technical solutions, and drive measurable security outcomes through hands-on engagement and collaboration. Responsibilities include: Blue Cell Design Authority - Own the design of defender-facing content across exercises, including workflows, tasks, success criteria, and evaluation frameworks. - Ensure all defender activities align to realistic security operations and customer mission requirements. - Establish and run the daily briefing rhythm to confirm customer findings and prevent analytical rabbit holes (customer briefs “was this you,” red validates yes/no) Blue Team-focused Stakeholder Orchestration - Align exercise scope, objectives, and communications with account team, customer, and delivery stakeholders; coordinate control‑cell and intelligence for injects; manage blue team operations schedule. - Represent the program in customer briefings and executive touchpoints; set expectations and ensure outcomes are landed with account teams. - Translate complex technical tradecraft into clear, outcome-focused narratives for senior customer leadership and non-technical stakeholders. - Ensure defensive actions remain grounded in realistic operational constraints and decision-making Drive Business Outcomes - Translate exercise results into actionable recommendations for improving customer security operations. Own and lead defender outcomes aligned to strategic customer objectives, accelerating adoption and operationalization of Microsoft security tools through repeatable, measurable defender workflows. - Partner with account teams to translate exercise findings into follow-on opportunities (control fixes, detection coverage improvements, and roadmap-aligned next steps). - Track and communicate exercise-driven outcomes (skill uplift, detection gaps closed, and prioritized remediation guidance) in a way that is actionable for customer leadership and Microsoft account teams. Design Defender Workflows & Hunt Content - Develop and govern defender-facing content: workflows, evaluation points, and success criteria aligned to security operations and customer mission needs. - Build and maintain reusable hunting content packages (KQL quick sheets, investigation playbooks, validation checklists, and scenario-aligned hunt guides) that scale delivery consistency. - Translate red team TTPs into defender detection expectations (telemetry sources, logging gaps, validation steps), enabling rapid iteration during delivery and clear improvements post-exercise. - Lead after-action analysis focused on defensive performance, detection coverage, and response effectiveness. - Drive post-exercise refinement of defender guidance, detection expectations, and learning materials based on observed outcomes and identified gaps. Mentorship & Collaboration - Mentor junior team members in defensive tradecraft, analytical reasoning, and exercise delivery. - Lead regular team knowledge-sharing sessions that improve blue-team hunting quality and delivery consistency across parallel exercises. - Develop and standardize playbooks, methodologies, and content to improve consistency across the team. - Partner tightly with red team and control-cell to ensure timing, injects, and debriefs produce maximum defender learning value and actionable takeaways. Travel is an integral part of this position. You should be willing to travel as is demanded by the needs of our customers and our business. This position requires approximately 50-75% overnight travel. Qualifications Required Qualifications: Bachelor's Degree in Computer Science, Information Technology, Engineering, Business, Liberal Arts, or related field AND 4+ years experience in cloud/infrastructure technologies, information technology (IT) consulting/support, systems administration, network operations, software development/support, technology solutions, practice development, architecture, and/or consulting OR equivalent experience. Other Requirements: Security Clearance Requirements: Candidates must be able to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings: - The successful candidate must have an active U.S. Government Top Secret Security Clearance. Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. Failure to maintain or obtain the appropriate clearance and/or customer screening requirements may result in employment action up to and including termination. - Clearance Verification: This position requires successful verification of the stated security clearance to meet federal government customer requirements. You will be asked to provide clearance verification information prior to an offer of employment. - Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter. - Citizenship & Citizenship Verification: This position requires verification of U.S. citizenship due to citizenship-based legal restrictions. Specifically, this position supports United States federal, state, and/or local United States government agency customer and is subject to certain citizenship-based restrictions where required or permitted by applicable law. To meet this legal requirement, citizenship will be verified via a valid passport, or other approved documents, or verified US government Clearance Preferred Qualifications: - Bachelor's Degree in Computer Science, Information Technology, Engineering, Business, Liberal Arts, or related field AND 8+ years experience in cloud/infrastructure technologies, information technology (IT) consulting/support, systems administration, network operations, software development/support, technology solutions, practice development, architecture, and/or consulting OR Master's Degree in Computer Science, Information Technology, Engineering, Business, Liberal Arts, or related field AND 6+ years experience in cloud/infrastructure technologies, technology solutions, practice development, architecture, and/or consulting OR equivalent experience. - 4+ years experience working in a customer-facing role (e.g., internal and/or external). - 4+ years experience working on technical projects. Technical Certification in Cloud (e.g., Azure, Amazon Web Services, Google, security certifications). Defensive Cyber Operations (Proactive + Reactive): - Experience leading or operating within security operations, threat hunting, detection engineering, or incident response functions in enterprise or U.S. Federal environments - Ability to design and execute both proactive (hypothesis-driven hunting, coverage development) and reactive (investigation, containment, recovery) defensive workflows - Experience translating operational activity into improved detection logic, response playbooks, and defensive tradecraft - Coach and mentor customers on defensive actions during live cyber exercises (e.g., account actions, device isolation, blocking indicators, mitigation activity), including justifications and operational risk. - Detection Engineering & Telemetry Analysis: - Strong understanding of how adversary behaviors map to telemetry across identity, endpoint, network, application, and cloud environments. - Experience developing and iterating detection logic, hunting methodologies, and investigation workflows. - Experience building reusable defensive content (playbooks, analytic patterns, hunt guides, validation frameworks). - Ability to identify visibility gaps, define data requirements, and validate detection coverage against adversary techniques. - Lead and facilitate exercise delivery after action reports (AARs) with customer-facing security response teams, executive level leadership, and Microsoft security personnel. - Experience applying AI/ML and GenAI-assisted workflows to defensive cyber operations Cloud, Identity, & Hybrid Environments: - Experience investigating and defending modern environments, including identity-centric attacks, cloud resource abuse, and hybrid infrastructure scenarios. Ability to correlate activity across multiple data sources and platforms to build a complete operational picture. - Cyber Exercise Design & Blue Cell Leadership. Experience designing defender-facing exercise content, including: - Detection and response workflows - Participant tasks and decision points - Success criteria and evaluation metrics. - Ability to translate real-world adversary behavior into structured learning objectives and measurable outcomes. - Experience supporting or leading cyber exercises, simulations, or operational training environments. - Leadership & Operational Excellence - Ability to lead and mentor teams in high-tempo, ambiguous environments. - Strong facilitation skills across technical operators and senior leadership audiences. - Experience driving consistency and quality across multiple concurrent efforts. - Ability to translate technical findings into clear, mission-relevant insights and recommendations. Certifications (Preferred, Not Required): - Microsoft Security Operations Analyst (SC-200) or Azure Security Engineer (AZ-500). - Industry recognized blue team or cybersecurity security certifications like GCFR, GCIH, or GCFA are desirable but not mandatory. Cloud Solution Architecture IC4 - The typical base pay range for this role across the U.S. is USD $106,400 - $203,600 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $137,600 - $222,600 per year. Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here: https://careers.microsoft.com/us/en/us-corporate-pay This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled. Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.