Senior Purple Team Engineer / Lead (Blue Focused)

Creating a future worth living for future generations gets us out of bed every morning. Depending on the project, we are consultants, implementers, or both for sustainable, innovative and economical solutions for real estate, industry, energy and infrastructure. Our more than 6,000 employees at 63 locations worldwide support our customers in interdisciplinary teams. Our thinking is both visionary and realistic. We work independently and as part of a team. With passion and the latest technologies. We unite. Join us at Dreso and let’s create a world we want to live in.

We are seeking a Senior Purple Team Engineer to design, execute, and continuously improve adversary‑focused security validation across our enterprise environment. This role sits at the intersection of Red Team and Blue Team, with a strong defensive (Blue Team) bias, ensuring that offensive findings are systematically translated into measurable detection, response, and prevention improvements. Opportunities for external consulting are included.

The successful candidate will lead purple team activities end‑to‑end—from threat modeling and attack simulation to detection engineering, incident response tuning, and executive‑level reporting—while working closely with SOC, IT Operations, and GRC stakeholders.

This role is hands‑on, technically deep, and outcome‑driven, with a strong expectation of real‑world attack execution and production‑grade defensive improvement.

Key Responsibilities

Purple Team & Adversary Simulation

• Plan and execute purple team exercises aligned to real‑world threat actors (e.g., ransomware groups, APT tradecraft, insider threat).
• Design attack scenarios mapped to MITRE ATT&CK, covering initial access, persistence, lateral movement, privilege escalation, command‑and‑control, and exfiltration.
• Coordinate with Red Team and external penetration testing vendors to ensure tests are safe, controlled, and detection‑focused.
• Translate offensive findings into clear, prioritized defensive improvements with measurable outcomes.

Blue Team / Defensive Engineering (Primary Focus)

• Develop and tune SIEM detections, analytics rules, and alerts based on attack simulations and real incidents.
• Build and optimize Microsoft Sentinel analytics, KQL queries, workbooks, and automation rules.
• Improve Defender XDR detections across:• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Office 365
• Microsoft Defender for Cloud Apps

• Validate alert quality, reduce false positives, and improve signal‑to‑noise ratio.
• Support and enhance incident response playbooks, escalation paths, and response automation.

Incident Response & DFIR Integration

• Act as a senior escalation point during security incidents, especially those involving active attacker behavior.
• Support digital forensics and incident response (DFIR) investigations on Windows and Linux endpoints.
• Use DFIR tools and platforms (e.g., Velociraptor) for threat hunting, artifact collection, and timeline analysis.
• Feed incident lessons learned back into detection engineering and preventive controls.

Threat Hunting & Detection Validation

• Conduct hypothesis‑driven threat hunts based on attacker tradecraft and threat intelligence.
• Validate coverage of detections against known TTPs and identify detection gaps.
• Continuously assess control effectiveness across endpoint, identity, cloud, and SaaS environments.

Vulnerability, Exposure & Control Validation

• Correlate vulnerability data with attacker exploitation paths and real exposure.
• Support and validate remediation prioritization based on exploitability and business impact, not CVSS alone.
• Partner with IT and Cloud teams to validate hardening, logging, and telemetry requirements.

Governance, Reporting & Stakeholder Communication

• Produce clear, executive‑level reporting from purple team exercises (findings, detection gaps, trends, maturity).
• Align purple team outcomes with ISO/IEC 27001, NIS2, and internal ISMS requirements.
• Contribute to security strategy, roadmap planning, and continuous improvement initiatives.
• Mentor junior analysts and engineers across Blue and Red Team disciplines.

Technical Environment & Stack (Required Experience)

Core Platforms

• Microsoft Sentinel (SIEM) – advanced KQL, analytics rules, workbooks, automation
• Microsoft Defender XDR (Endpoint, Identity, Office 365, Cloud Apps)
• Microsoft Entra ID (Azure AD) – identity attacks, logs, conditional access abuse
• Microsoft Purview – audit logs, investigations (desirable)
• Azure – logging, resource telemetry, cloud attack paths

DFIR & Threat Hunting

• Endpoint forensics (Windows & Linux)
• Velociraptor or equivalent DFIR tooling
• Memory, disk, and log‑based investigations
• Threat intelligence integration and ATT&CK mapping

Offensive Tooling & Techniques

• Adversary emulation frameworks (e.g., Atomic Red Team, CALDERA)
• Penetration testing and red team tooling (e.g., C2 frameworks, credential abuse, living‑off‑the‑land techniques)
• Social engineering awareness (technical validation focus; not marketing‑style phishing)

Scripting & Automation

• PowerShell (advanced)
• Python (working knowledge)
• Automation of testing, detection validation, and response workflows

Required Experience

• 7–10+ years in cybersecurity with proven experience across both Blue Team and Red Team roles
• Demonstrated hands‑on detection engineering and incident response experience
• Experience running or leading purple team exercises in enterprise environments
• Strong understanding of real‑world attacker behavior, not just theoretical frameworks
• Experience operating in regulated or compliance‑driven environments (ISO 27001, GDPR, NIS2)

Certifications (Strongly Preferred / Required)

Offensive / Red Team

• OSCP / OSEP / OSCE / OSWE
• CRTO / CRTO II
• Equivalent advanced red team certifications

Defensive / Blue Team

• GCED / GCIA / GCIR or equivalent
• Microsoft Security certifications (Sentinel, Defender, XDR)
• Advanced SIEM / SOC certifications

Governance / Architecture (Valuable)

• CISSP (or ISSAP concentration)
• CISM / CRISC
• ISO/IEC 27001 Lead Implementer or Lead Auditor

• To ensure your work-life balance, we offer the option of mobile working
• We promote your professional and personal development through individual training and further education at the Drees & Sommer Academy
• We support your health with a bonus for sports enthusiasts. We offer the possibility of subscribing to a private health insurance policy
• Employees benefit from tax advantages related to their commuting expenses for the office
• Fiscal advantages for employees expenses in meal costs during the worktime. Employee referral program with attractive bonus scheme
• Supporting career and familiy by receiving tax benefits for kindergarten expenses