Head of Azure Platform Security

We have a current opportunity for a Head of Azure Platform Security on a permanent basis. The position will be based in London. For further information about this position please apply.

Requirements

Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered
Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments
WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent; custom rule authoring and false-positive management at production scale
Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns
SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard
Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, CrowdStrike), Intune/Jamf device management, privileged access workstations, JIT/JEA models
API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, HashiCorp Vault), and secure SDLC integration
PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments
Security automation and IaC: Python, PowerShell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them
MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs
Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets managementNice to Have

Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment
Zero-trust architecture: BeyondCorp, Zscaler, or equivalent; conditional access policy design and implementation
DDoS mitigation, BGP security, and network resilience engineering for latency-sensitive financial infrastructure
ISO 27001, SOC 2, DORA, or equivalent - hands-on implementation, not just audit participation
Red team, adversarial simulation, or penetration testing programme design - experience on both sides of the exerciseWhat We're Looking For

You are a builder first and a security engineer second - meaning you solve security problems by engineering better systems, not by writing longer policies. You find the gap before an attacker does because you have thought about how you would exploit the environment yourself. A

Requirements

Hands-on Azure cloud security architecture and implementation - Defender for Cloud, Policy-as-Code, RBAC, PIM, private endpoints, and secure landing zone design; AWS security experience also considered
Network security engineering: firewall policy design and lifecycle management, micro-segmentation, NSG/UDR/NVA architecture, hub-spoke topology, and perimeter defence for hybrid environments
WAF design, deployment, and operational tuning - Cloudflare, Azure Application Gateway, or equivalent; custom rule authoring and false-positive management at production scale
Network flow log analysis and intrusion detection engineering - building detection logic for lateral movement, beaconing, anomalous egress, and C2 patterns
SIEM engineering: detection rule authoring (KQL, SPL, or equivalent), log pipeline design, alert correlation, triage workflow - you write the rules, not just read the dashboard
Endpoint and desktop security: EDR deployment and tuning (Defender for Endpoint, CrowdStrike), Intune/Jamf device management, privileged access workstations, JIT/JEA models
API and application security: threat modelling (STRIDE/PASTA), OAuth 2.0/OIDC implementation review, secrets management (Key Vault, HashiCorp Vault), and secure SDLC integration
PKI, certificate lifecycle automation, identity federation, and SSO across hybrid cloud and on-premises environments
Security automation and IaC: Python, PowerShell, Terraform, Bicep, or Sentinel analytics rules - you codify controls, you do not document them
MITRE ATT&CK coverage mapping; threat hunting, adversary emulation, and proactive gap analysis against realistic TTPs
Cloud infrastructure - Azure preferred, AWS considered; IAM, managed services, automated and auditable deployment pipelines, secrets managementNice to Have

Financial services, trading, or capital markets - operational security in a regulated, high-availability, zero-downtime-tolerance environment
Zero-trust architecture: BeyondCorp, Zscaler, or equivalent; conditional access policy design and implementation
DDoS mitigation, BGP security, and network resilience engineering for latency-sensitive financial infrastructure
ISO 27001, SOC 2, DORA, or equivalent - hands-on implementation, not just audit participation
Red team, adversarial simulation, or penetration testing programme design - experience on both sides of the exerciseWhat We're Looking For

You are a builder first and a security engineer second - meaning you solve security problems by engineering better systems, not by writing longer policies. You find the gap before an attacker does because you have thought about how you would exploit the environment yourself. A security incident is not just a technical failure - it is a business one. You bring hands-on capability, genuine innovation, and the rigour to make this organisation measurably more secure every quarter.

security incident is not just a technical failure - it is a business one. You bring hands-on capability, genuine innovation, and the rigour to make this organisation measurably more secure every quarter.

To find out more about Huxley, please visit

Huxley, a trading division of SThree Partnership LLP is acting as an Employment Business in relation to this vacancy | Registered office | 8 Bishopsgate, London, EC2N 4BQ, United Kingdom | Partnership Number | OC(phone number removed) England and Wales