Devoteam Cyber Trust | Lead Cloud Security Consultant — Microsoft Focus

We're building a new Cloud Security Practice that delivers outcome-driven security engagements across Microsoft Azure, Microsoft 365, Google Cloud, AWS, and partner CNAPP platforms.

We're hiring a Lead Cloud Security Consultant — Microsoft Focus as a hands-on cyber security expert. You'll help design how we deliver engagements, execute them in the consoles, and build the reusable assets the practice will scale on.

This is a cyber-first role with Microsoft as the primary stack. Microsoft Sentinel, Defender XDR, Defender for Cloud, and Entra ID are the core of the work, but you should be comfortable operating in broader cloud security contexts — multi-cloud posture, CNAPP findings, exposure reduction — when engagements call for it. You don't need to be a pure infrastructure engineer, but you should understand cloud environments well enough to identify security gaps, implement controls, and help customers improve their posture.

What you'll do

• Deliver cloud security engagements end-to-end with a Microsoft focus: Sentinel deployments, Defender XDR rollouts, Defender for Cloud implementations, detection engineering, threat hunting, incident response support, posture assessments, Azure security reviews, identity security improvements, cloud hardening.

• Write KQL, tune analytics rules, build connectors, configure Defender XDR policies, and walk customers through what their telemetry, posture, exposure, and risks mean.

• Assess and improve security controls across Sentinel, Defender XDR, Defender for Cloud, Entra ID, Azure workloads, logging/monitoring, and privileged access.

• Translate cyber security requirements into practical configurations, remediation actions, detection use cases, and operational improvements.

• Support multi-cloud engagements (Google Cloud, AWS) and CNAPP-related work where the customer needs posture improvement, exposure reduction, or detection coverage.

• Run customer-facing workshops and build the reusable assets the practice will scale on: playbooks, deliverable templates, KQL libraries, detection rule packs, configuration baselines, hardening guides, remediation roadmaps.

Microsoft Sentinel:

• Deployed or supported Sentinel in production for at least one enterprise customer.

• Writes KQL from scratch for analytics rules, hunting queries, investigations, and workbooks.

• Has built, tuned, or maintained analytics rules, scheduled queries, hunting queries, or incident workflows.

• Has worked with data connectors, including Microsoft and non-Microsoft sources.

• Has experience with automation rules, Logic Apps playbooks, or response workflows.

• Understands alert fatigue and has experience improving signal-to-noise in a SOC or monitoring environment.

Defender XDR cross-pillar:

• Configured and operated Defender for Endpoint, Identity, Office 365, and Cloud Apps.

• Investigated incidents spanning multiple pillars using the unified incident model.

• Comfortable with advanced hunting across the Defender XDR schema.

• Understands how Defender XDR and Sentinel complement each other in detection and response.

Azure and cloud security:

• Solid Azure security understanding from a cyber perspective, not just infrastructure.

• Has delivered Azure security assessments, posture improvement, hardening, or secure configuration reviews.

• Hands-on with Microsoft Defender for Cloud — recommendations, regulatory compliance, workload protection, posture management.

• Understands subscriptions/management groups, Azure Policy, RBAC, logging/monitoring, network exposure, and workload protection.

• Comfortable working in broader cloud security contexts: posture management, workload protection, misconfiguration review, exposure reduction.

Identity and access:

• Strong Microsoft Entra ID security — MFA, Conditional Access, Identity Protection, access reviews, enterprise applications, service principals.

• Familiarity with PIM, RBAC, least privilege, break-glass accounts, access governance.

• Understands identity as a core cloud security control.

Cloud security and CNAPP awareness:

• Understands CSPM, CWPP, attack paths, misconfiguration abuse, and cloud-specific attack patterns.

• Familiar with CNAPP concepts and tools.

• Can turn cloud security findings into practical remediation plans for security, cloud, and engineering teams.

Delivery experience:

• 5+ years cybersecurity experience, including relevant experience with the Microsoft security stack in a delivery, consulting, cloud security, detection engineering, or senior SOC role.

• Experience delivering client-facing cyber security work, including assessments, implementations, workshops, remediation planning, or technical documentation.

• Able to produce clear technical deliverables: assessment reports, implementation plans, remediation roadmaps, configuration baselines, runbooks, and executive-level summaries.

• Portuguese and English.

Nice to have

• Microsoft Purview — DLP, information protection, insider risk.

• Google Cloud or AWS security background.

• Exposure to Wiz or another CNAPP platform.

• Experience with Infrastructure-as-Code security, ideally Terraform, Bicep, ARM templates, or CI/CD security reviews.

• Experience with DevSecOps, secure cloud deployment patterns, or security guardrails.

• Knowledge of Microsoft Cloud Security Benchmark, CIS Benchmarks, NIST, ISO 27001, MITRE ATT&CK, or cloud security reference architectures.

• Experience building reusable consulting assets, such as KQL packs, Sentinel deployment kits, Defender configuration guides, cloud security baselines, assessment methodologies, or remediation playbooks.

Certifications

Strongly valued: SC-100. 

Also valued: SC-200, AZ-500, SC-300, SC-400, CISSP, CCSP, Google Cloud Professional Cloud Security Engineer, AWS Security Specialty.

Real operational and delivery experience matters more than certification recall.

Working style

• Hands-on by default, in consoles weekly.

• Cyber-first mindset — you look at Azure, Microsoft 365, identity, endpoints, SaaS, and cloud workloads through risk, threat, control effectiveness, and operational security.

• Microsoft-focused, cloud-aware — Microsoft is your strongest stack, but you can operate in multi-cloud conversations and broader cloud security engagements.

• Delivery-focused — you can assess, implement, document, and hand over.

• Iterative — you'd rather ship a working v1 in two weeks than a perfect v1 in four months.

• Plain-language translator — you explain a detection, a risky identity configuration, a Defender recommendation, or a CNAPP finding to a SOC analyst and a CFO using different words and the same accuracy.

• Builder — you leave behind reusable assets, not just closed tickets.

• Pragmatic — you know the difference between an ideal target state and a workable next step for a real customer environment.

Devoteam Group works for equal opportunities, promoting its employees based on merit and actively fights against all forms of discrimination. We are convinced that diversity contributes to the creativity, dynamism and excellence of our organization. All of our vacancies are open to people with disabilities.