System Security Engineer

About the role

The role focuses on protecting corporate endpoints through the design, deployment, and management of advanced detection and response solutions. You will work closely with security, IT, and operations teams to ensure a hardened, compliant, and resilient device fleet.

Key responsibilities

• Administer Microsoft Defender for Endpoint, CrowdStrike Falcon and SentinelOne, including policy configuration, exclusions, alert triage and proactive threat hunting.
• Manage next‑generation antivirus, exploit protection, Windows Defender Firewall, web filtering and device control policies (e.g., USB restrictions).
• Implement application control with AppLocker and WDAC, and apply security hardening based on CIS Benchmarks and Microsoft baselines.
• Maintain Group Policy, ADMX settings, Windows LAPS and enterprise device lifecycle using Intune, SCCM/MECM, Jamf and Workspace ONE.
• Support provisioning, enrollment, Windows Autopilot, patching (Windows Update for Business, WSUS, SCCM) and third‑party application updates.
• Configure identity and access controls in Active Directory and Microsoft Entra ID, including Conditional Access and device compliance.
• Manage BitLocker encryption, Credential Guard, LSASS protection and certificate‑based authentication.
• Analyze endpoint telemetry, conduct incident response, perform threat hunting with KQL and map findings to MITRE ATT&CK.
• Develop PowerShell automation scripts and integrate with Microsoft Graph and EDR APIs.

Required profile

• Bachelor’s degree in Computer Science, Cybersecurity, IT or a related field.
• 3–6+ years of hands‑on experience securing Windows and macOS endpoints.
• Strong understanding of networking fundamentals (TCP/IP, DNS, DHCP, proxy, VPN).
• Experience with security frameworks, hardening guides and compliance standards.

Required skills

• Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne
• Attack Surface Reduction, Controlled Folder Access, exploit mitigation
• Windows Defender Firewall, AppLocker, WDAC
• CIS Benchmarks, Microsoft Security Baselines
• Group Policy, ADMX, Windows LAPS
• Microsoft Intune, SCCM/MECM, Jamf, Workspace ONE, Windows Autopilot
• Windows Update for Business, WSUS, patch management
• Active Directory, Microsoft Entra ID, Conditional Access
• BitLocker, Credential Guard, LSASS protection, PKI
• Sysmon, Windows Event Logs, Microsoft Defender advanced hunting
• KQL, MITRE ATT&CK framework
• PowerShell scripting, Microsoft Graph API
• Basic Python scripting (advantage)