Lead Cloud Security Architect

Title: Lead Cloud Security Architec

Location: Onsite (Contract-to-hire)
Compensation: $90-130/hour

Overview

We are seeking a hands-on Lead Cloud Security Architect to lead and execute security strategy for an Azure-based environment. This role combines technical depth with leadership responsibility, owning cloud security architecture, operations, threat detection, and incident response while guiding other members of the team. The ideal candidate is deeply experienced in Microsoft's security stack.

Responsibilities

Responsibilities

• Architect, implement, and lead day-to-day security operations across a cloud-native Microsoft Azure environment

• Remain hands-on with security monitoring, threat detection, investigation, and incident response

• Design and enforce identity-first security models using Microsoft Entra ID, Conditional Access, MFA, and Privileged Identity Management (PIM)

• Harden Azure resources and workloads using security best practices and Microsoft Defender recommendations

• Perform and remediate findings from security risk assessments, vulnerability scans, and penetration tests

• Implement and optimize Microsoft Sentinel (SIEM/SOAR) for log ingestion, correlation, threat hunting, and automated response

• Oversee endpoint and mobile security, including Windows 11 and third-party devices in a BYOD environment

• Evaluate, integrate, and govern third-party security tools and controls within the Microsoft security ecosystem

• Partner with IT, engineering, and leadership teams to ensure security is embedded into cloud architecture and operations

Required Qualifications

• Proven experience securing enterprise-scale Microsoft Azure environments

• Deep expertise in cloud threat detection, incident response, and SOC operations

• Strong background in identity and access management

• Hands-on experience with endpoint, mobile device, and BYOD security strategies

• Experience conducting vulnerability assessments, security testing, and risk remediation

• Strong understanding of cloud networking, secure connectivity, and encryption technologies

Required Microsoft / Azure Security Expertise

• 100% Microsoft Azure-based environments

• Hands-on experience enabling, configuring, and operating:

• Microsoft Sentinel (SIEM & SOAR)

• Microsoft Defender for Cloud

• Microsoft Defender for Endpoint

• Microsoft Defender for Office 365

• Advanced configuration of:

• Azure Policy and governance controls

• Microsoft Defender for Cloud workload protection plans (Web Application Gateway/WAF, Key Vault, Dev

Ops, SQL, etc.)

• Conditional Access policies and identity-based security controls

• Threat hunting and incident response using Microsoft Sentinel and Defender, including alert correlation and automated playbooks

• Hardening Azure resources following Microsoft security benchmarks and best practices

• Conducting regular security assessments, vulnerability scans, and penetration testing across Azure infrastructure

• Experience securing and monitoring:

• Entra ID (Azure AD)

• NSGs, MFA, PIM

• Azure Key Vault

• SQL and cloud-native workloads

• ADFS, WAP (where applicable)

• Centralizing logs and enabling advanced threat hunting by integrating Defender for Cloud with Microsoft Sentinel

• Reviewing and assessing third-party security solutions related to:

• Identity and Access Control

• Compliance monitoring and remediation

• MFA and Single Sign-On (SSO)

• Experience with Microsoft Purview, including Insider Risk Management

• Endpoint and device management using Microsoft Intune

Additional Experience (Preferred)

• Cyber breach and enterprise incident response leadership

• SOC-driven incident response and escalation

• Securing Windows 11 and third-party devices in a BYOD model

• Mobile device security for BYOD environments

• Network security design and implementation

• VPN technologies and secure remote access

• Encryption and key management technologies

• Entra ID-only environments (no on-prem Active Directory or internal DNS dependency)

• Certificate lifecycle and key management

• External DNS management

Determining compensation for this role (and others) at Vaco/Highspring depends upon a wide array of factors including but not limited to the individual's skill sets, experience and training, licensure and certifications, office location and other geographic considerations, as well as other business and organizational needs. With that said, as required by local law in geographies that require salary range disclosure, Vaco/Highspring notes the salary range for the role is noted in this job posting. The individual may also be eligible for discretionary bonuses, and can participate in medical, dental, and vision benefits as well as the company's 401(k) retirement plan.

Additional disclaimer:

Unless otherwise noted in the job description, the position Vaco/Highspring is filing for is occupied. Please note, however, that Vaco/Highspring is regularly asked to provide talent to other organizations. By submitting to this position, you are agreeing to be included in our talent pool for future hiring for similarly qualified positions. Submissions to this position are subject to the use of AI to perform preliminary candidate screenings, focused on ensuring minimum job requirements noted in the position are satisfied. Further assessment of candidates beyond this initial phase within Vaco/Highspring will be otherwise assessed by recruiters and hiring managers. Vaco/Highspring does not have knowledge of the tools used by its clients in making final hiring decisions and cannot opine on their use of AI products.
Equal Opportunity Notice

Highspring LLC (d/b/a Vaco by Highspring) and its parents, affiliates, and subsidiaries ("we," "our," or "Vaco by Highspring") are committed to the full inclusion of all qualified individuals and does not discriminate against any employee or applicant for employment because of race (including but not limited to traits historically associated with race such as hair texture and hair style), color, sex (includes pregnancy or related conditions), religion or creed, national origin, citizenship, age, disability, status as a veteran, union membership, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, political affiliation, or any other protected characteristics as required by applicable law. The company is also committed to ensuring that persons who need them are provided with reasonable accommodations; if an accommodation is needed to participate in the job application or interview process, please contact HR@vaco.com .

Vaco by Highspring also wants all applicants to know their rights that workplace discrimination is illegal.

Representation Notice

By submitting to this position, you agree that you will be giving Vaco by Highspring the exclusive right to present your as a candidate for the foregoing employment opportunity. Additionally, you agree to be included in our talent pool for future hiring for similarly qualified positions. You further agree that you have represented information about yourself accurately and have not affirmatively misrepresented your qualifications. Lastly, you agree to maintain as confidential, to the fullest extent permitted by law, any information you learn from Vaco by Highspring about the position and you will limit disclosure of information about the position only to the extent necessary to perform any obligations in furtherance of your application. In exchange, Vaco by Highspring agrees to exercise reasonable efforts to represent you through all solicitation, job screening and resume dispersal.

For residents of Ontario, Canada only: to the extent the position for employment is not with Highspring or not otherwise noted as vacant above, candidate should be informed that this role is to replace a presently employed person at Vaco by Highspring's client.

Privacy Notice

Vaco by Highspring respects your privacy and are committed to providing transparent notice of our policies.

• California residents may access Vaco by Highspring HR Notice at Collection for California Applicants and Employees here.

• Virginia residents may access our state specific policies here.

• Residents of all other states may access our policies here.

• Canadian residents may access our policies in English here and in French here.

• Residents of countries governed by GDPR and UK GDPR may access our policies here.

Additionally, submissions to this position are subject to the use of AI to perform preliminary candidate screenings, focused on ensuring minimum job requirements noted in the position are satisfied. More details about Vaco by Highspring's use of AI can be found here (https://www.highspring.com/ai-use-notices/). Further assessment of candidates beyond this initial phase will be conducted by recruiters and hiring managers. Vaco by Highspring does not know and cannot opine on if its client's use of AI products in hiring.

Pay Transparency Notice

Determining compensation for this role (and others) at Vaco by Highspring depends upon a wide array of factors including but not limited to:

· the individual's skill sets, experience and training;

· licensure and certification requirements;

· office location and other geographic considerations; and

· other business and organizational needs.

With that said, as required by local law, Vaco by Highspring believes that the following salary range referenced above reasonably estimates the base compensation for an individual hired into this position in geographies that require salary range disclosure. The individual may also be eligible for discretionary bonuses and/or participation in medical, dental, and vision benefits as well as the company's retirement plan (or similar retirement benefits).