Head of Azure Platform Security

We have a current opportunity for a Head of Azure Platform Security on a permanent basis. The position will be based in London. For further information about this position please apply.

Requirements

Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered

Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments

WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent; custom rule authoring and false-positive management at production scale

Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns

SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard

Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, CrowdStrike), Intune/Jamf device management, privileged access workstations, JIT/JEA models

API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, HashiCorp Vault), and secure SDLC integration

PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments

Security automation and IaC: Python, PowerShell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them

MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs

Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets managementNice to Have

Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment

Zero-trust architecture: BeyondCorp, Zscaler, or equivalent; conditional access policy design and implementation

DDoS mitigation, BGP security, and network resilience engineering for latency-sensitive financial infrastructure

ISO 27001, SOC 2, DORA, or equivalent - hands-on implementation, not just audit participation

Red team, adversarial simulation, or penetration testing programme design - experience on both sides of the exerciseWhat We're Looking For

You are a builder first and a security engineer second - meaning you solve security problems by engineering better systems, not by writing longer policies. You find the gap before an attacker does because you have thought about how you would exploit the environment yourself. A

Requirements

Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered

Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments

WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent; custom rule authoring and false-positive management at production scale

Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns

SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard

Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, CrowdStrike), Intune/Jamf device management, privileged access workstations, JIT/JEA models

API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, HashiCorp Vault), and secure SDLC integration

PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments

Security automation and IaC: Python, PowerShell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them

MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs

Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets managementNice to Have

Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment

Zero-trust architecture: BeyondCorp, Zscaler, or equivalent; conditional access policy design and implementation

DDoS mitigation, BGP security, and network resilience engineering for latency-sensitive financial infrastructure

ISO 27001, SOC 2, DORA, or equivalent - hands-on implementation, not just audit participation

Red team, adversarial simulation, or penetration testing programme design - experience on both sides of the exerciseWhat We're Looking For

You are a builder first and a security engineer second - meaning you solve security problems by engineering better systems, not by writing longer policies. You find the gap before an attacker does because you have thought about how you would exploit the environment yourself. A security incident is not just a technical failure - it is a business one. You bring hands-on capability, genuine innovation, and the rigour to make this organisation measurably more secure every quarter.

security incident is not just a technical failure - it is a business one. You bring hands-on capability, genuine innovation, and the rigour to make this organisation measurably more secure every quarter.

To find out more about Huxley, please visit

Huxley, a trading division of SThree Partnership LLP is acting as an Employment Business in relation to this vacancy | Registered office | 8 Bishopsgate, London, EC2N 4BQ, United Kingdom | Partnership Number | OC(phone number removed) England and Wales